Erudika/scoold

An open-source StackOverflow clone, optimized for Heroku and the cloud

Alex Bogdanovski

@albogdano

@pikrakpzu that's right, you need the latest Para for Scoold 1.47

Alex Bogdanovski

@albogdano

@pikrakpzu ok, done

se-alexnsa

@se-alexnsa

Hey there. Are there any concerns we should have regarding the log4j vulnerability issues when it comes to this application?

Alex Bogdanovski

@albogdano

@se-alexnsa not at all - Scoold relies on Logback for logging and Log4j-core is not used anywhere

se-alexnsa

@se-alexnsa

Great. Could you provide a dependency tree report so that we can add that to our records?

Alex Bogdanovski

@albogdano

@se-alexnsa you can print out the dependencies of Scoold with mvn dependency:tree

se-alexnsa

@se-alexnsa

I used this pom.xml https://github.com/Erudika/scoold/blob/master/pom.xml - is that ok?
and can we do this for para as well https://github.com/Erudika/para/blob/master/pom.xml

Alex Bogdanovski

@albogdano

@se-alexnsa yes, that's right

se-alexnsa

@se-alexnsa

running for scoold returned the tree fine, but running for the current para pom.xml above returned

[[1;34mINFO[m] Scanning for projects...
[[1;31mERROR[m] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] Child module /home/alex/secretescapes/questions/para/para-server of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-core of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-client of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-war of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-jar of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
 @ 
[[1;31mERROR[m] The build could not read 1 project -> [1m[Help 1][m
[[1;31mERROR[m]   
[[1;31mERROR[m]   The project com.erudika:para-parent:1.42.1-SNAPSHOT (/home/alex/secretescapes/questions/para/pom.xml) has 5 errors
[[1;31mERROR[m]     Child module /home/alex/secretescapes/questions/para/para-server of /home/alex/secretescapes/questions/para/pom.xml does not exist
[[1;31mERROR[m]     Child module /home/alex/secretescapes/questions/para/para-core of /home/alex/secretescapes/questions/para/pom.xml does not exist
[[1;31mERROR[m]     Child module /home/alex/secretescapes/questions/para/para-client of /home/alex/secretescapes/questions/para/pom.xml does not exist
[[1;31mERROR[m]     Child module /home/alex/secretescapes/questions/para/para-war of /home/alex/secretescapes/questions/para/pom.xml does not exist
[[1;31mERROR[m]     Child module /home/alex/secretescapes/questions/para/para-jar of /home/alex/secretescapes/questions/para/pom.xml does not exist
[[1;31mERROR[m] 
[[1;31mERROR[m] To see the full stack trace of the errors, re-run Maven with the [1m-e[m switch.
[[1;31mERROR[m] Re-run Maven using the [1m-X[m switch to enable full debug logging.
[[1;31mERROR[m] 
[[1;31mERROR[m] For more information about the errors and possible solutions, please read the following articles:
[[1;31mERROR[m] [1m[Help 1][m http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException

Alex Bogdanovski

@albogdano

@se-alexnsa Para has a parent pom.xml and 5 submodules, each with its own pom.xml

se-alexnsa

@se-alexnsa

ok
so should I run mvn dependency:tree for each 5 of those pom.xml ?

Alex Bogdanovski

@albogdano

@se-alexnsa yes, it's best you do that

se-alexnsa

@se-alexnsa

ok
Also for scoold, we are actually using scoold pro - I can't access the pom file publicly in scoold pro repo, and also don't have one locally. How can we get the pom file for our version 1.45.0 scoold pro?

Alex Bogdanovski

@albogdano

scoold-pro-dependencies.txt

note that log4j-api is present in the list but it does not contain any vulnerable code

se-alexnsa

@se-alexnsa

thanks do you have for our current 1.45.0 we are running?

or the pom so we can run it

just to prove for our records

Alex Bogdanovski

@albogdano

@se-alexnsa yes, sure

scoold-pro-1.45.0.txt

se-alexnsa

@se-alexnsa

thanks

Robert R Allen

@smurfralf

I'm pre-populating scoold with questions and answers. When taking issues from Teams channels they frequently include screen print images. Is there a recommended approach for storing images to be used in questions? More details: to use an image in a question I need to provide a URL to the image location in a markdown link, but what I have is an image in my clipboard that I want to paste.

Alex Bogdanovski

@albogdano

@smurfralf Scoold does not have file upload functionality - that's part of Scoold Pro. Additionally, the Scoold Pro API does not yet expose the file upload methods, but I will amend that. You can use a file upload service to upload the files and get a link to embed in the posts.

pikrakpzu

@pikrakpzu

Is it possible to set the default space for new users to "All spaces" instead of "Default space"?
For config:

para.auto_assign_spaces = "ScopeA,ScopeB"

New users are assigned to the above spaces, as well as the "Default space" which is set as the default.
I noticed that many new users do not notice the spaces and leave Scoold thinking that there are no interesting topics there.
Setting default to "All spaces" wuold help them to explore more after first signin.

Alex Bogdanovski

@albogdano

@pikrakpzu When I come to think about it, that should actually be the default as it makes more sense. Thanks for the suggestion - I'll get it done soon.

Alex Bogdanovski

@albogdano

@pikrakpzu Erudika/scoold@be1e093

pikrakpzu

@pikrakpzu

@albogdano Awesome! :thumbsup:

I'm wondering how to make the Spaces button more obvious.
I asked a few users and they said that at first they thought of it as a separator between the application menu and the user menu.
Maybe enlarging it to the size of the adjacent user menu would make the button more noticeable.
If I come up with something I'll share.

Until then I'll just pin a question with a brief description of Scoold's basic functions, that should help.

Alex Bogdanovski

@albogdano

@pikrakpzu option A:

option B:

pikrakpzu

@pikrakpzu

@albogdano I think option A fits better with the current style, but both are clear. :ok_hand:

Alex Bogdanovski

@albogdano

:thumbsup:

I agree

pikrakpzu

@pikrakpzu

Hi,
I reported bug because the content is long, I didn't want to spam gitter.
Erudika/scoold-pro#58

Alex Bogdanovski

@albogdano

@pikrakpzu :thumbsup:

Alex Bogdanovski

@albogdano

@pikrakpzu releasing Scoold Pro 1.48.0now...

pikrakpzu

@pikrakpzu

@albogdano :thumbsup: Updated to 1.48.0, and with config para.security.oauth.users_equivalent_claim_value = ".*?USExR_SCOOLD.*" (such role doesnt exist) any user can sucessfully sign in trough OIDC. Expected error as they do not have required role.

I'll test if para.security.oauth.admins_equivalent_claim_value will add admin rights after signin.

Alex Bogdanovski

@albogdano

@pikrakpzu no error is displayed - users are automatically disabled with active: false

those users cannot log in

Alex Bogdanovski

@albogdano

I have added an INFO message when that happens

pikrakpzu

@pikrakpzu

@albogdano Hi, can You confirm that scoold-pro image was pushed correctly to aws?
I got this on pull:

1.48.1: Pulling from scoold-pro
97518928ae5f: Already exists 
170a48b9dc73: Already exists 
5de6f17ec67d: Already exists 
7a15738aa7d2: Pulling fs layer 
17e6d4d1b69e: Verifying Checksum 
filesystem layer verification failed for digest sha256:17e6d4d1b69e5e43e1cd761918a7f56b5e74ea43b19fb0437fa95f021a3fdf71

Alex Bogdanovski

@albogdano

latest digest for 1.48.1 is: sha256:a994968a0b26bc872b8ab4a7c51da00230ab59d69cfe0825a7d624733667c137

@pikrakpzu try restarting the Docker daemon

pikrakpzu

@pikrakpzu

@albogdano :thumbsup:

pikrakpzu

@pikrakpzu

Still no success with oauth.groups.
I changed the configuration like this:

para.security.oauth.groups_attribute_name = "/attributes/MemberOf"
para.security.oauth.admins_equivalent_claim_value = ".*?USER_SCOOLD.*"
para.security.oauth.users_equivalent_claim_value = ".*?USER_xxx_SCOOLD.*"

Signed in multiple times as user which in /attributes/MemberOf array has:
"CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=COMPANY"

As a result, I was able to access Scoold at the user level every time.
The expected result is a sign in error due to missing .*?USER_xxx_SCOOLD.*, but it never occured.
Alternatively, administrator privileges should be granted, but they were not.
Since nothing happens I suspect the problem is in para.security.oauth.groups_attribute_name = "/attributes/MemberOf".

Which logs can I switch to trace whats going on with OIDC auth process in Scoold?
With default levels there is nothing in logs about signing in.
The only lines in Para's log worth noting are:

2022-02-10 12:45:23 [WARN ] null
com.nimbusds.jose.KeyLengthException: The secret length must be at least 256 bits
        at com.nimbusds.jose.crypto.impl.MACProvider.<init>(MACProvider.java:118)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:168)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:81)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:97)
        at com.erudika.para.server.security.SecurityUtils.isValidJWToken(SecurityUtils.java:225)
        at com.erudika.para.server.security.filters.PasswordlessAuthFilter.getOrCreateUser(PasswordlessAuthFilter.java:115)
        at com.erudika.para.server.security.JWTRestfulAuthFilter.getOrCreateUser(JWTRestfulAuthFilter.java:313)
...
2022-02-10 12:45:23 [TRACE] Invoking JWTRestfulAuthFilter (22/28)
2022-02-10 12:45:23 [DEBUG] Checking match of request : '/v1/_id/6202552ce54b5b05c40cf670:profile'; against '^/v\d[\.\d]*/.*'
2022-02-10 12:45:23 [TRACE] Invoking RestAuthFilter (23/28)
2022-02-10 12:45:23 [DEBUG] Checking match of request : '/v1/_id/6202552ce54b5b05c40cf670:profile'; against '^/v\d[\.\d]*/.*'
2022-02-10 12:45:23 [TRACE] Invoking RememberMeAuthenticationFilter (24/28)
2022-02-10 12:45:23 [DEBUG] SecurityContextHolder not populated with remember-me token, as it already contained: 'com.erudika.para.server.security.AppAuthentication@149545c2'

I can prowide full stacktrace if it would help.

Alex Bogdanovski

@albogdano

@pikrakpzu in order for the user roles setting to work, you have to be a regular user and have a payload form the identity provider like this:

{
    "sub": "username",
    "auth_time": 1531571734,
    "attributes": {
        "Office": "Full office name",
        "CN": "User Name",
        "credentialType": "Type",
        "DisplayName": "User Name (Office)",
        "DN": "uid=username,CN=Users,O=COMPANY",
        "Email": "username@company.com",
        "FN": "Firstname",
        "MemberOf": [
                                               "CN=UX_some_role,CN=UXUSER,CN=UX,CN=Groups,O=COMPANY",
                                               "CN=confluence-users,CN=CF_PROD,CN=CF,CN=Groups,O=COMPANY",
                                               "CN=wiki_space_pcpzu_edytor,CN=CF_PROD,CN=CF,CN=Groups,O=COMPANY",
                                               "CN=USER_xxx_SCOOLD,CN=SCOOLD,CN=Groups,O=COMPANY",
                                               "CN=OTHER_SUPERUSER,CN=OTHER,CN=OS,CN=Groups,O=COMPANY"
        ],
        "Name": "username",
        "LN": "Lastname",
        "UID": "username"
    },
    "id": "username"
}

if for some reason the MemberOf object contains both the admins role USER_SCOOLD and USER_xxx_SCOOLD then you will be given the admin rights and you will be able to sign in

Alex Bogdanovski

@albogdano

only if the MemberOf array does not contain USER_xxx_SCOOLD will the user be deactivated

if for some reason your account is an admin account you won't be able to see this working

Where communities thrive

People

Repo info

Activity