security

2025-10-25 11:17:28 +02:00 · 2023-09-04 18:42:22 +01:00 · 2023-09-04 18:42:22 +01:00 · c7c81a7243
commit c7c81a7243
parent ac019ac196
8 changed files with 129 additions and 59 deletions
--- a/44
+++ b/44
@ -1,31 +1,39 @@
-# Build jbig2enc in a separate stage
+# Use the base image
 FROM frooodle/stirling-pdf-base:beta4

-ARG VERSION_TAG
-ENV VERSION_TAG=$VERSION_TAG
+# Set Environment Variables
+ENV PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    DOCKER_ENABLE_SECURITY=false \
+    HOME=/home/stirlingpdfuser \
+    VERSION_TAG=$VERSION_TAG

-ENV DOCKER_ENABLE_SECURITY=false
+# Create user and group
+RUN groupadd -g $PGID stirlingpdfgroup && \
+    useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \
+    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME

-# Create scripts folder and copy local scripts
-RUN mkdir /scripts
+# Set up necessary directories and permissions
+RUN mkdir -p /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/tesseract-ocr-original
+
+# Copy necessary files
 COPY ./scripts/* /scripts/
-
-#Install fonts
-RUN mkdir /usr/share/fonts/opentype/noto/
 COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/
 COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto/
-RUN fc-cache -f -v
-
-# Always copy the JAR 
 COPY build/libs/*.jar app.jar

-# Expose the application port
+# Set font cache and permissions
+RUN fc-cache -f -v && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar && \
+    chmod +x /scripts/init.sh
+
+# Expose necessary ports
 EXPOSE 8080

-# Set environment variables
-ENV APP_HOME_NAME="Stirling PDF"
-
-# Run the application
-RUN chmod +x /scripts/init.sh
+# Set user and run command
+USER stirlingpdfuser
 ENTRYPOINT ["/scripts/init.sh"]
 CMD ["java", "-jar", "/app.jar"]
--- a/30
+++ b/30
@ -10,17 +10,43 @@ RUN apt-get update && \
        unoconv && \
    rm -rf /var/lib/apt/lists/*

-# Copy the application JAR file
+
+# Set Environment Variables
+ENV PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    DOCKER_ENABLE_SECURITY=false \
+    HOME=/home/stirlingpdfuser \
+    VERSION_TAG=$VERSION_TAG
+
+# Create user and group
+RUN groupadd -g $PGID stirlingpdfgroup && \
+    useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \
+    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
+
+# Set up necessary directories and permissions
+RUN mkdir -p /scripts /usr/share/fonts/opentype/noto /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/fonts/opentype/noto /configs /customFiles
+
+# Copy necessary files
+COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/
+COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto/
 COPY build/libs/*.jar app.jar

+# Set font cache and permissions
+RUN fc-cache -f -v && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar
+
+


 # Expose the application port
 EXPOSE 8080

 # Set environment variables
-ENV GROUPS_TO_REMOVE=Python,OpenCV,OCRmyPDF
+ENV ENDPOINTS_GROUPS_TO_REMOVE=Python,OpenCV,OCRmyPDF
 ENV DOCKER_ENABLE_SECURITY=false

 # Run the application
+USER stirlingpdfuser
 CMD ["java", "-jar", "/app.jar"]
--- a/25
+++ b/25
@ -1,16 +1,33 @@
 # Build jbig2enc in a separate stage
 FROM bellsoft/liberica-openjdk-alpine:17

-# Copy the application JAR file
+# Set Environment Variables
+ENV PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    DOCKER_ENABLE_SECURITY=false \
+    HOME=/home/stirlingpdfuser \
+    VERSION_TAG=$VERSION_TAG
+
+# Create user and group using Alpine's addgroup and adduser
+RUN addgroup -g $PGID stirlingpdfgroup && \
+    adduser -u $PUID -G stirlingpdfgroup -s /bin/sh -D stirlingpdfuser && \
+    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
+
+# Set up necessary directories and permissions
+RUN mkdir -p /scripts /configs /customFiles && \
+    chown -R stirlingpdfuser:stirlingpdfgroup /scripts /configs /customFiles
+
 COPY build/libs/*.jar app.jar

+# Set font cache and permissions
+RUN chown stirlingpdfuser:stirlingpdfgroup /app.jar
+
 # Expose the application port
 EXPOSE 8080

-
-
 # Set environment variables
-ENV GROUPS_TO_REMOVE=CLI
+ENV ENDPOINTS_GROUPS_TO_REMOVE=CLI
 ENV DOCKER_ENABLE_SECURITY=false

 # Run the application
--- a/src/main/java/stirling/software/SPDF/controller/api/UserController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/UserController.java
@ -71,7 +71,7 @@ public class UserController {


        userService.changePassword(user, newPassword);
-        if(!user.getUsername().equals(newUsername)) {
+        if(newUsername != null && newUsername.length() > 0 && !user.getUsername().equals(newUsername)) {
            userService.changeUsername(user, newUsername);
        }
        userService.changeFirstUse(user, false);
@ -111,8 +111,9 @@ public class UserController {
    	    return new RedirectView("/account?messageType=usernameExists");
    	}

-
-        userService.changeUsername(user, newUsername);
+    	if(newUsername != null && newUsername.length() > 0) {
+            userService.changeUsername(user, newUsername);
+        }

        // Logout using Spring's utility
        new SecurityContextLogoutHandler().logout(request, response, null);
@ -173,9 +174,14 @@ public class UserController {

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @PostMapping("/admin/saveUser")
-    public String saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String role) {
-        userService.saveUser(username, password, role);
-        return "redirect:/addUsers";  // Redirect to account page after adding the user
+    public RedirectView saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String role, 
+    		@RequestParam(name = "forceChange", required = false, defaultValue = "false") boolean forceChange) {
+    	
+    	if(userService.usernameExists(username)) {
+    		return new RedirectView("/addUsers?messageType=usernameExists");
+    	}
+        userService.saveUser(username, password, role, forceChange);
+        return new RedirectView("/addUsers");  // Redirect to account page after adding the user
    }

    
--- a/src/main/resources/messages_en_GB.properties
+++ b/src/main/resources/messages_en_GB.properties
@ -119,6 +119,7 @@ adminUserSettings.role=Role
 adminUserSettings.actions=Actions
 adminUserSettings.apiUser=Limited API User
 adminUserSettings.webOnlyUser=Web Only User
+adminUserSettings.forceChange = Force user to change username/password on login
 adminUserSettings.submit=Save User

 #############
@ -767,13 +768,6 @@ changeMetadata.selectText.5=Add Custom Metadata Entry
 changeMetadata.submit=Change


-#xlsToPdf
-xlsToPdf.title=Excel to PDF
-xlsToPdf.header=Excel to PDF
-xlsToPdf.selectText.1=Select XLS or XLSX Excel sheet to convert
-xlsToPdf.convert=convert
-
-
 #pdfToPDFA
 pdfToPDFA.title=PDF To PDF/A
 pdfToPDFA.header=PDF To PDF/A
--- a/src/main/resources/templates/addUsers.html
+++ b/src/main/resources/templates/addUsers.html
@ -12,7 +12,7 @@
            <div class="container">
                <div class="row justify-content-center">
                    <div class="col-md-8">
-
+			
                        <!-- User Settings Title -->
                        <h2 class="text-center" th:text="#{adminUserSettings.header}">Admin User Control Settings</h2>
                      
@ -43,6 +43,9 @@
 						

 						<h2 th:text="#{adminUserSettings.addUser}">Add New User</h2>
+						<div th:if="${param.messageType != null and param.messageType.size() > 0 and param.messageType[0] == 'usernameExists'}" class="alert alert-danger">
+						    <span th:text="#{usernameExistsMessage}">Default message if not found</span>
+						</div>
 					    <form action="/admin/saveUser" method="post">
 					        <div class="mb-3">
 					            <label for="username" th:text="#{username}">Username</label>
@ -61,6 +64,10 @@
 						            <option value="ROLE_WEB_ONLY_USER" th:text="#{adminUserSettings.webOnlyUser}">Web Only User</option>
 						        </select>
 						    </div>
+					        <div class="mb-3">
+							    <input type="checkbox" class="form-check-input" id="forceChange" name="forceChange">
+							    <label class="form-check-label" for="forceChange" th:text="#{adminUserSettings.forceChange}">Force user to change username/password on login</label>
+							</div>
 					        
 					        <!-- Add other fields as required -->
 					        <button type="submit" class="btn btn-primary"  th:text="#{adminUserSettings.submit}">Save User</button>
--- a/src/main/resources/templates/change-creds.html
+++ b/src/main/resources/templates/change-creds.html
@ -40,7 +40,7 @@
                        <form action="/change-username-and-password" method="post">
                            <div class="mb-3">
                                <label for="newUsername" th:text="#{changeCreds.newUsername}">New Username</label>
-                                <input type="text" class="form-control" name="newUsername" id="newUsername" placeholder="New Username">
+                                <input type="text" class="form-control" name="newUsername" id="newUsername" th:placeholder="${username}">
                            </div>
                            <div class="mb-3">
                                <label for="currentPassword" th:text="#{changeCreds.oldPassword}">Old Password</label>
--- a/src/main/resources/templates/security/add-watermark.html
+++ b/src/main/resources/templates/security/add-watermark.html
@ -28,7 +28,16 @@
                                    <option value="image">Image</option>
                                </select>
                            </div>
-                            
+                            <div id="alphabetGroup" class="mb-3">
+	                            <label for="fontSize" th:text="#{alphabet} + ':'"></label> 
+	                            <select class="form-control" name="alphabet" id="alphabet-select">
+	                                <option value="roman">Roman</option>
+	                                <option value="arabic">العربية</option>
+	                                <option value="japanese">日本語</option>
+	                                <option value="korean">한국어</option>
+	                                <option value="chinese">简体中文</option>
+	                            </select>
+                            </div>
                            <div id="watermarkTextGroup" class="mb-3">
                                <label for="watermarkText" th:text="#{watermark.selectText.2}"></label> 
                                <input type="text" id="watermarkText" name="watermarkText" class="form-control" placeholder="Stirling-PDF" required />
@ -101,25 +110,28 @@
                        </form>
                        
                        <script>
-						    function toggleFileOption() {
-						        const watermarkType = document.getElementById('watermarkType').value;
-						        const watermarkTextGroup = document.getElementById('watermarkTextGroup');
-						        const watermarkImageGroup = document.getElementById('watermarkImageGroup');
-						        const watermarkText = document.getElementById('watermarkText');
-						        const watermarkImage = document.getElementById('watermarkImage');
-						
-						        if (watermarkType === 'text') {
-						            watermarkTextGroup.style.display = 'block';
-						            watermarkText.required = true;
-						            watermarkImageGroup.style.display = 'none';
-						            watermarkImage.required = false;
-						        } else if (watermarkType === 'image') {
-						            watermarkTextGroup.style.display = 'none';
-						            watermarkText.required = false;
-						            watermarkImageGroup.style.display = 'block';
-						            watermarkImage.required = true;
-						        }
-						    }
+                        function toggleFileOption() {
+                            const watermarkType = document.getElementById('watermarkType').value;
+                            const watermarkTextGroup = document.getElementById('watermarkTextGroup');
+                            const watermarkImageGroup = document.getElementById('watermarkImageGroup');
+                            const alphabetGroup = document.getElementById('alphabetGroup'); // This is the new addition
+                            const watermarkText = document.getElementById('watermarkText');
+                            const watermarkImage = document.getElementById('watermarkImage');
+
+                            if (watermarkType === 'text') {
+                                watermarkTextGroup.style.display = 'block';
+                                watermarkText.required = true;
+                                watermarkImageGroup.style.display = 'none';
+                                watermarkImage.required = false;
+                                alphabetGroup.style.display = 'block';
+                            } else if (watermarkType === 'image') {
+                                watermarkTextGroup.style.display = 'none';
+                                watermarkText.required = false;
+                                watermarkImageGroup.style.display = 'block';
+                                watermarkImage.required = true;
+                                alphabetGroup.style.display = 'none';
+                            }
+                        }
 						</script>

                    </div>