Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 27 07:30
    biaomingzhong starred Erudika/scoold
  • Jun 26 17:21
    albogdano closed #49
  • Jun 26 17:21
    albogdano commented #49
  • Jun 23 19:07
    herbertgoto starred Erudika/scoold
  • Jun 23 14:54

    albogdano on master

    readme (compare)

  • Jun 23 14:49

    albogdano on master

    Update README.md to include "ta… Merge pull request #320 from rb… (compare)

  • Jun 23 14:49
    albogdano closed #320
  • Jun 23 14:18
    albogdano closed #319
  • Jun 23 14:18
    albogdano commented #319
  • Jun 23 13:58
    rberends edited #320
  • Jun 23 13:58
    rberends edited #320
  • Jun 23 13:58
    rberends edited #320
  • Jun 23 13:58
    rberends edited #320
  • Jun 23 13:58
    rberends edited #320
  • Jun 23 12:06
    rberends opened #320
  • Jun 23 08:39
    vbyjsue starred Erudika/scoold
  • Jun 23 07:26
    rberends edited #319
  • Jun 23 07:26
    rberends edited #319
  • Jun 23 07:26
    rberends edited #319
  • Jun 23 07:25
    rberends opened #319
se-alexnsa
@se-alexnsa
Hey there. Are there any concerns we should have regarding the log4j vulnerability issues when it comes to this application?
Alex Bogdanovski
@albogdano
@se-alexnsa not at all - Scoold relies on Logback for logging and Log4j-core is not used anywhere
se-alexnsa
@se-alexnsa
Great. Could you provide a dependency tree report so that we can add that to our records?
Alex Bogdanovski
@albogdano
@se-alexnsa you can print out the dependencies of Scoold with mvn dependency:tree
se-alexnsa
@se-alexnsa
I used this pom.xml https://github.com/Erudika/scoold/blob/master/pom.xml - is that ok?
and can we do this for para as well https://github.com/Erudika/para/blob/master/pom.xml
Alex Bogdanovski
@albogdano
@se-alexnsa yes, that's right
se-alexnsa
@se-alexnsa
running for scoold returned the tree fine, but running for the current para pom.xml above returned
[INFO] Scanning for projects...
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] Child module /home/alex/secretescapes/questions/para/para-server of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-core of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-client of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-war of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
[ERROR] Child module /home/alex/secretescapes/questions/para/para-jar of /home/alex/secretescapes/questions/para/pom.xml does not exist @ 
 @ 
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]   
[ERROR]   The project com.erudika:para-parent:1.42.1-SNAPSHOT (/home/alex/secretescapes/questions/para/pom.xml) has 5 errors
[ERROR]     Child module /home/alex/secretescapes/questions/para/para-server of /home/alex/secretescapes/questions/para/pom.xml does not exist
[ERROR]     Child module /home/alex/secretescapes/questions/para/para-core of /home/alex/secretescapes/questions/para/pom.xml does not exist
[ERROR]     Child module /home/alex/secretescapes/questions/para/para-client of /home/alex/secretescapes/questions/para/pom.xml does not exist
[ERROR]     Child module /home/alex/secretescapes/questions/para/para-war of /home/alex/secretescapes/questions/para/pom.xml does not exist
[ERROR]     Child module /home/alex/secretescapes/questions/para/para-jar of /home/alex/secretescapes/questions/para/pom.xml does not exist
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
Alex Bogdanovski
@albogdano
@se-alexnsa Para has a parent pom.xml and 5 submodules, each with its own pom.xml
se-alexnsa
@se-alexnsa
ok
so should I run mvn dependency:tree for each 5 of those pom.xml ?
Alex Bogdanovski
@albogdano
@se-alexnsa yes, it's best you do that
se-alexnsa
@se-alexnsa
ok
Also for scoold, we are actually using scoold pro - I can't access the pom file publicly in scoold pro repo, and also don't have one locally. How can we get the pom file for our version 1.45.0 scoold pro?
Alex Bogdanovski
@albogdano
note that log4j-api is present in the list but it does not contain any vulnerable code
se-alexnsa
@se-alexnsa
thanks do you have for our current 1.45.0 we are running?
or the pom so we can run it
just to prove for our records
Alex Bogdanovski
@albogdano
@se-alexnsa yes, sure
se-alexnsa
@se-alexnsa
thanks
Robert R Allen
@smurfralf
I'm pre-populating scoold with questions and answers. When taking issues from Teams channels they frequently include screen print images. Is there a recommended approach for storing images to be used in questions? More details: to use an image in a question I need to provide a URL to the image location in a markdown link, but what I have is an image in my clipboard that I want to paste.
Alex Bogdanovski
@albogdano
@smurfralf Scoold does not have file upload functionality - that's part of Scoold Pro. Additionally, the Scoold Pro API does not yet expose the file upload methods, but I will amend that. You can use a file upload service to upload the files and get a link to embed in the posts.
pikrakpzu
@pikrakpzu

Is it possible to set the default space for new users to "All spaces" instead of "Default space"?
For config:

para.auto_assign_spaces = "ScopeA,ScopeB"

New users are assigned to the above spaces, as well as the "Default space" which is set as the default.
I noticed that many new users do not notice the spaces and leave Scoold thinking that there are no interesting topics there.
Setting default to "All spaces" wuold help them to explore more after first signin.

Alex Bogdanovski
@albogdano
@pikrakpzu When I come to think about it, that should actually be the default as it makes more sense. Thanks for the suggestion - I'll get it done soon.
Alex Bogdanovski
@albogdano
pikrakpzu
@pikrakpzu

@albogdano Awesome! :thumbsup:

I'm wondering how to make the Spaces button more obvious.
I asked a few users and they said that at first they thought of it as a separator between the application menu and the user menu.
Maybe enlarging it to the size of the adjacent user menu would make the button more noticeable.
If I come up with something I'll share.

Until then I'll just pin a question with a brief description of Scoold's basic functions, that should help.

Alex Bogdanovski
@albogdano
@pikrakpzu option A: Screenshot from 2022-01-19 14-38-28.png
option B:
Screenshot from 2022-01-19 14-49-30.png
pikrakpzu
@pikrakpzu
@albogdano I think option A fits better with the current style, but both are clear. :ok_hand:
Alex Bogdanovski
@albogdano
:thumbsup:
I agree
pikrakpzu
@pikrakpzu
Hi,
I reported bug because the content is long, I didn't want to spam gitter.
Erudika/scoold-pro#58
Alex Bogdanovski
@albogdano
@pikrakpzu :thumbsup:
Alex Bogdanovski
@albogdano
@pikrakpzu releasing Scoold Pro 1.48.0now...
pikrakpzu
@pikrakpzu
@albogdano :thumbsup: Updated to 1.48.0, and with config para.security.oauth.users_equivalent_claim_value = ".*?USExR_SCOOLD.*" (such role doesnt exist) any user can sucessfully sign in trough OIDC. Expected error as they do not have required role.
I'll test if para.security.oauth.admins_equivalent_claim_value will add admin rights after signin.
Alex Bogdanovski
@albogdano
@pikrakpzu no error is displayed - users are automatically disabled with active: false
those users cannot log in
Alex Bogdanovski
@albogdano
I have added an INFO message when that happens
pikrakpzu
@pikrakpzu
@albogdano Hi, can You confirm that scoold-pro image was pushed correctly to aws?
I got this on pull:
1.48.1: Pulling from scoold-pro
97518928ae5f: Already exists 
170a48b9dc73: Already exists 
5de6f17ec67d: Already exists 
7a15738aa7d2: Pulling fs layer 
17e6d4d1b69e: Verifying Checksum 
filesystem layer verification failed for digest sha256:17e6d4d1b69e5e43e1cd761918a7f56b5e74ea43b19fb0437fa95f021a3fdf71
Alex Bogdanovski
@albogdano
latest digest for 1.48.1 is: sha256:a994968a0b26bc872b8ab4a7c51da00230ab59d69cfe0825a7d624733667c137
@pikrakpzu try restarting the Docker daemon
pikrakpzu
@pikrakpzu
@albogdano :thumbsup:
pikrakpzu
@pikrakpzu

Still no success with oauth.groups.
I changed the configuration like this:

para.security.oauth.groups_attribute_name = "/attributes/MemberOf"
para.security.oauth.admins_equivalent_claim_value = ".*?USER_SCOOLD.*"
para.security.oauth.users_equivalent_claim_value = ".*?USER_xxx_SCOOLD.*"

Signed in multiple times as user which in /attributes/MemberOf array has:
"CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=COMPANY"

As a result, I was able to access Scoold at the user level every time.
The expected result is a sign in error due to missing .*?USER_xxx_SCOOLD.*, but it never occured.
Alternatively, administrator privileges should be granted, but they were not.
Since nothing happens I suspect the problem is in para.security.oauth.groups_attribute_name = "/attributes/MemberOf".

Which logs can I switch to trace whats going on with OIDC auth process in Scoold?
With default levels there is nothing in logs about signing in.
The only lines in Para's log worth noting are:

2022-02-10 12:45:23 [WARN ] null
com.nimbusds.jose.KeyLengthException: The secret length must be at least 256 bits
        at com.nimbusds.jose.crypto.impl.MACProvider.<init>(MACProvider.java:118)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:168)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:81)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:97)
        at com.erudika.para.server.security.SecurityUtils.isValidJWToken(SecurityUtils.java:225)
        at com.erudika.para.server.security.filters.PasswordlessAuthFilter.getOrCreateUser(PasswordlessAuthFilter.java:115)
        at com.erudika.para.server.security.JWTRestfulAuthFilter.getOrCreateUser(JWTRestfulAuthFilter.java:313)
...
2022-02-10 12:45:23 [TRACE] Invoking JWTRestfulAuthFilter (22/28)
2022-02-10 12:45:23 [DEBUG] Checking match of request : '/v1/_id/6202552ce54b5b05c40cf670:profile'; against '^/v\d[\.\d]*/.*'
2022-02-10 12:45:23 [TRACE] Invoking RestAuthFilter (23/28)
2022-02-10 12:45:23 [DEBUG] Checking match of request : '/v1/_id/6202552ce54b5b05c40cf670:profile'; against '^/v\d[\.\d]*/.*'
2022-02-10 12:45:23 [TRACE] Invoking RememberMeAuthenticationFilter (24/28)
2022-02-10 12:45:23 [DEBUG] SecurityContextHolder not populated with remember-me token, as it already contained: 'com.erudika.para.server.security.AppAuthentication@149545c2'

I can prowide full stacktrace if it would help.

Alex Bogdanovski
@albogdano
@pikrakpzu in order for the user roles setting to work, you have to be a regular user and have a payload form the identity provider like this:
{
    "sub": "username",
    "auth_time": 1531571734,
    "attributes": {
        "Office": "Full office name",
        "CN": "User Name",
        "credentialType": "Type",
        "DisplayName": "User Name (Office)",
        "DN": "uid=username,CN=Users,O=COMPANY",
        "Email": "username@company.com",
        "FN": "Firstname",
        "MemberOf": [
                                               "CN=UX_some_role,CN=UXUSER,CN=UX,CN=Groups,O=COMPANY",
                                               "CN=confluence-users,CN=CF_PROD,CN=CF,CN=Groups,O=COMPANY",
                                               "CN=wiki_space_pcpzu_edytor,CN=CF_PROD,CN=CF,CN=Groups,O=COMPANY",
                                               "CN=USER_xxx_SCOOLD,CN=SCOOLD,CN=Groups,O=COMPANY",
                                               "CN=OTHER_SUPERUSER,CN=OTHER,CN=OS,CN=Groups,O=COMPANY"
        ],
        "Name": "username",
        "LN": "Lastname",
        "UID": "username"
    },
    "id": "username"
}
if for some reason the MemberOf object contains both the admins role USER_SCOOLD and USER_xxx_SCOOLD then you will be given the admin rights and you will be able to sign in
Alex Bogdanovski
@albogdano
only if the MemberOf array does not contain USER_xxx_SCOOLD will the user be deactivated
if for some reason your account is an admin account you won't be able to see this working
admin privileges are granted on login, not immediately
also make sure that you have para.security.oauth2.token_delegation_enabled = true