Merge branch 'feature/security'

OpenConext · Jan 12, 2024 · 77177f4 · 77177f4
2 parents 1890b8c + a37c70a
commit 77177f4
Show file tree

Hide file tree

Showing 47 changed files with 1,411 additions and 2,484 deletions.
diff --git a/.gitignore b/.gitignore
@@ -19,4 +19,6 @@ manage-prd
 manage-server/mongo_db_queries.txt
 dependency.tree
 invite_public_key.pem
-NOTES.md
+NOTES.md
+yarn.list
+
diff --git a/manage-gui/.nvmrc b/manage-gui/.nvmrc
@@ -1 +1 @@
-v16.13.2
+v20.8.0
diff --git a/manage-gui/package.json b/manage-gui/package.json
@@ -3,13 +3,12 @@
   "version": "0.1.0",
   "private": true,
   "dependencies": {
-    "@uiw/react-md-editor": "^3.9.5",
+    "@uiw/react-md-editor": "^4.0.3",
     "dompurify": "^3.0.6",
     "http-proxy-middleware": "^2.0.3",
     "lodash.merge": "^4.6.2",
-    "marked": "^4.0.12",
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
     "react-json-view": "^1.21.3",
     "source-map-explorer": "^2.5.2"
   },
@@ -31,7 +30,7 @@
     "react-scripts": "5.0.1",
     "react-select": "^5.2.2",
     "react-tooltip": "^4.2.21",
-    "sass": "^1.57.1",
+    "sass": "^1.69.7",
     "scroll-into-view": "^1.16.0",
     "spin.js": "^2.3.2",
     "urijs": "^1.19.11"
@@ -41,8 +40,8 @@
     "yaml": "^2.3.1"
   },
   "scripts": {
-    "start": "PORT=3006 HOST=localhost DANGEROUSLY_DISABLE_HOST_CHECK=true react-scripts start",
-    "build": "HOST=localhost DANGEROUSLY_DISABLE_HOST_CHECK=true react-scripts build",
+    "start": "PORT=3006 HOST=localhost DANGEROUSLY_DISABLE_HOST_CHECK=true GENERATE_SOURCEMAP=false react-scripts start",
+    "build": "HOST=localhost DANGEROUSLY_DISABLE_HOST_CHECK=true GENERATE_SOURCEMAP=false react-scripts build",
     "test": "HOST=localhost DANGEROUSLY_DISABLE_HOST_CHECK=true CI=true react-scripts test",
     "analyze": "source-map-explorer 'build/static/js/*.js'"
   },

diff --git a/manage-gui/pom.xml b/manage-gui/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.openconext</groupId>
         <artifactId>manage</artifactId>
-        <version>7.3.2</version>
+        <version>7.3.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -37,8 +37,8 @@
                             <goal>install-node-and-yarn</goal>
                         </goals>
                         <configuration>
-                            <nodeVersion>v16.13.2</nodeVersion>
-                            <yarnVersion>v1.22.19</yarnVersion>
+                            <nodeVersion>v20.8.0</nodeVersion>
+                            <yarnVersion>v1.22.21</yarnVersion>
                         </configuration>
                     </execution>
                     <execution>

diff --git a/manage-gui/src/components/metadata/Manipulation.jsx b/manage-gui/src/components/metadata/Manipulation.jsx
@@ -5,14 +5,15 @@ import PropTypes from "prop-types";
 import CodeMirror from "react-codemirror";
 import "codemirror/mode/javascript/javascript";
 import "codemirror/lib/codemirror.css";
-import "@uiw/react-md-editor/dist/mdeditor.css";
+import "@uiw/react-md-editor/markdown-editor.css";
 import "./Manipulation.scss";
 import {isEmpty, stop} from "../../utils/Utils";
 
 export default class Manipulation extends React.PureComponent {
 
     constructor(props) {
         super(props);
+
         this.state = {
             tabs: ["manipulation", "notes"],
             selectedTab: "manipulation",
@@ -49,7 +50,8 @@ export default class Manipulation extends React.PureComponent {
         </span>;
 
     renderNotes() {
-        const {notes} = this.props;
+        const {notes, currentUser} = this.props;
+        const allowed = currentUser.authorities.some(authority => authority.authority === "ROLE_SUPER_USER");
         return (
             <div className="manipulation-info">
                 <h2>
@@ -59,17 +61,20 @@ export default class Manipulation extends React.PureComponent {
                     </a>
                 </h2>
                 <section className="notes">
-                    <MDEditor value={notes} onChange={this.onChange("data.manipulationNotes")}/>
+                    {allowed && <MDEditor value={notes}
+                                          onChange={this.onChange("data.manipulationNotes")}/>}
+
+                    {!allowed && <MDEditor.Markdown source={notes} style={{whiteSpace: 'pre-wrap'}}/>}
                 </section>
             </div>
         );
     }
 
     renderManipulation() {
-        const {content, guest} = this.props;
+        const {content, currentUser} = this.props;
+        const allowed = currentUser.authorities.some(authority => authority.authority === "ROLE_SUPER_USER");
         const optionsForInfo = {lineNumbers: false, mode: "javascript", readOnly: true};
-        const optionsForContent = {lineNumbers: true, mode: "javascript", readOnly: guest};
-
+        const optionsForContent = {lineNumbers: true, mode: "javascript", readOnly: !allowed};
         const info = `
 /**
  * PHP code for advanced Response Manipulation.
@@ -89,9 +94,14 @@ export default class Manipulation extends React.PureComponent {
                         {I18n.t("manipulation.manipulationInfo")}
                     </a>
                 </h2>
-                <CodeMirror className="comments" value={info} options={optionsForInfo}/>
-                <div className="spacer"></div>
-                <CodeMirror value={content} onChange={this.onChange("data.manipulation")} options={optionsForContent}/>
+                <CodeMirror className="comments"
+                            value={info}
+                            options={optionsForInfo}/>
+                {!allowed && <div className="remarks">{I18n.t("manipulation.allowedDisclaimer")}</div>}
+                <CodeMirror className={allowed ? "" : "read-only"}
+                            value={content}
+                            onChange={this.onChange("data.manipulation")}
+                            options={optionsForContent}/>
             </div>
         );
     }
@@ -113,6 +123,6 @@ Manipulation.propTypes = {
     content: PropTypes.string,
     notes: PropTypes.string,
     onChange: PropTypes.func.isRequired,
-    guest: PropTypes.bool.isRequired
+    currentUser: PropTypes.any.isRequired
 };
 
diff --git a/manage-gui/src/components/metadata/Manipulation.scss b/manage-gui/src/components/metadata/Manipulation.scss
@@ -77,4 +77,15 @@
             background-color: $lightest-grey;
         }
     }
+    .read-only {
+        .CodeMirror {
+            background-color: $hover;
+        }
+    }
+
+    .remarks {
+        font-weight: 600;
+        margin: 15px;
+        font-size: 18px;
+    }
 }
diff --git a/manage-gui/src/locale/en.js b/manage-gui/src/locale/en.js
@@ -270,7 +270,8 @@ I18n.translations.en = {
         manipulationInfo: "Documentation on attribute manipulations",
         notesInfo: "Documentation on attribute manipulations notes",
         manipulation: "PHP Code",
-        notes: "Notes"
+        notes: "Notes",
+        allowedDisclaimer: "You are not allowed to edit manipulations"
     },
 
     metaDataFields: {

diff --git a/manage-gui/src/pages/Detail.jsx b/manage-gui/src/pages/Detail.jsx
@@ -21,8 +21,8 @@ import {
     allResourceServers,
     changeRequests,
     detail,
-    relyingPartiesByResourceServer,
     provisioningById,
+    relyingPartiesByResourceServer,
     remove,
     revisions,
     save,
@@ -741,7 +741,8 @@ class Detail extends React.PureComponent {
         const configuration = this.props.configuration.find(
             conf => conf.title === this.state.type
         );
-        const guest = this.props.currentUser.guest;
+        const {currentUser} = this.props
+        const {guest} = currentUser;
         const {
             isNew,
             originalEntityId,
@@ -837,7 +838,7 @@ class Detail extends React.PureComponent {
                         content={metaData.data.manipulation || ""}
                         notes={metaData.data.manipulationNotes || ""}
                         onChange={this.onChange("manipulation")}
-                        guest={guest}
+                        currentUser={currentUser}
                     />
                 );
             case "consent_disabling":