Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 30 11:45
    albogdano commented #323
  • Jun 30 11:44
    albogdano closed #323
  • Jun 30 11:44

    albogdano on master

    Fix emoji picker (#323) (compare)

  • Jun 30 08:18
    fpellet synchronize #323
  • Jun 29 15:15
    fpellet opened #323
  • Jun 29 13:07
    albogdano closed #322
  • Jun 29 13:07

    albogdano on master

    fixed possible content injectio… (compare)

  • Jun 29 12:10
    fpellet commented #322
  • Jun 29 10:33
    albogdano commented #322
  • Jun 29 10:21
    fpellet opened #322
  • Jun 27 07:30
    biaomingzhong starred Erudika/scoold
  • Jun 26 17:21
    albogdano closed #49
  • Jun 26 17:21
    albogdano commented #49
  • Jun 23 19:07
    herbertgoto starred Erudika/scoold
  • Jun 23 14:54

    albogdano on master

    readme (compare)

  • Jun 23 14:49

    albogdano on master

    Update README.md to include "ta… Merge pull request #320 from rb… (compare)

  • Jun 23 14:49
    albogdano closed #320
  • Jun 23 14:18
    albogdano closed #319
  • Jun 23 14:18
    albogdano commented #319
  • Jun 23 13:58
    rberends edited #320
Alex Bogdanovski
@albogdano
@se-alexnsa Para has a parent pom.xml and 5 submodules, each with its own pom.xml
se-alexnsa
@se-alexnsa
ok
so should I run mvn dependency:tree for each 5 of those pom.xml ?
Alex Bogdanovski
@albogdano
@se-alexnsa yes, it's best you do that
se-alexnsa
@se-alexnsa
ok
Also for scoold, we are actually using scoold pro - I can't access the pom file publicly in scoold pro repo, and also don't have one locally. How can we get the pom file for our version 1.45.0 scoold pro?
Alex Bogdanovski
@albogdano
note that log4j-api is present in the list but it does not contain any vulnerable code
se-alexnsa
@se-alexnsa
thanks do you have for our current 1.45.0 we are running?
or the pom so we can run it
just to prove for our records
Alex Bogdanovski
@albogdano
@se-alexnsa yes, sure
se-alexnsa
@se-alexnsa
thanks
Robert R Allen
@smurfralf
I'm pre-populating scoold with questions and answers. When taking issues from Teams channels they frequently include screen print images. Is there a recommended approach for storing images to be used in questions? More details: to use an image in a question I need to provide a URL to the image location in a markdown link, but what I have is an image in my clipboard that I want to paste.
Alex Bogdanovski
@albogdano
@smurfralf Scoold does not have file upload functionality - that's part of Scoold Pro. Additionally, the Scoold Pro API does not yet expose the file upload methods, but I will amend that. You can use a file upload service to upload the files and get a link to embed in the posts.
pikrakpzu
@pikrakpzu

Is it possible to set the default space for new users to "All spaces" instead of "Default space"?
For config:

para.auto_assign_spaces = "ScopeA,ScopeB"

New users are assigned to the above spaces, as well as the "Default space" which is set as the default.
I noticed that many new users do not notice the spaces and leave Scoold thinking that there are no interesting topics there.
Setting default to "All spaces" wuold help them to explore more after first signin.

Alex Bogdanovski
@albogdano
@pikrakpzu When I come to think about it, that should actually be the default as it makes more sense. Thanks for the suggestion - I'll get it done soon.
Alex Bogdanovski
@albogdano
pikrakpzu
@pikrakpzu

@albogdano Awesome! :thumbsup:

I'm wondering how to make the Spaces button more obvious.
I asked a few users and they said that at first they thought of it as a separator between the application menu and the user menu.
Maybe enlarging it to the size of the adjacent user menu would make the button more noticeable.
If I come up with something I'll share.

Until then I'll just pin a question with a brief description of Scoold's basic functions, that should help.

Alex Bogdanovski
@albogdano
@pikrakpzu option A: Screenshot from 2022-01-19 14-38-28.png
option B:
Screenshot from 2022-01-19 14-49-30.png
pikrakpzu
@pikrakpzu
@albogdano I think option A fits better with the current style, but both are clear. :ok_hand:
Alex Bogdanovski
@albogdano
:thumbsup:
I agree
pikrakpzu
@pikrakpzu
Hi,
I reported bug because the content is long, I didn't want to spam gitter.
Erudika/scoold-pro#58
Alex Bogdanovski
@albogdano
@pikrakpzu :thumbsup:
Alex Bogdanovski
@albogdano
@pikrakpzu releasing Scoold Pro 1.48.0now...
pikrakpzu
@pikrakpzu
@albogdano :thumbsup: Updated to 1.48.0, and with config para.security.oauth.users_equivalent_claim_value = ".*?USExR_SCOOLD.*" (such role doesnt exist) any user can sucessfully sign in trough OIDC. Expected error as they do not have required role.
I'll test if para.security.oauth.admins_equivalent_claim_value will add admin rights after signin.
Alex Bogdanovski
@albogdano
@pikrakpzu no error is displayed - users are automatically disabled with active: false
those users cannot log in
Alex Bogdanovski
@albogdano
I have added an INFO message when that happens
pikrakpzu
@pikrakpzu
@albogdano Hi, can You confirm that scoold-pro image was pushed correctly to aws?
I got this on pull:
1.48.1: Pulling from scoold-pro
97518928ae5f: Already exists 
170a48b9dc73: Already exists 
5de6f17ec67d: Already exists 
7a15738aa7d2: Pulling fs layer 
17e6d4d1b69e: Verifying Checksum 
filesystem layer verification failed for digest sha256:17e6d4d1b69e5e43e1cd761918a7f56b5e74ea43b19fb0437fa95f021a3fdf71
Alex Bogdanovski
@albogdano
latest digest for 1.48.1 is: sha256:a994968a0b26bc872b8ab4a7c51da00230ab59d69cfe0825a7d624733667c137
@pikrakpzu try restarting the Docker daemon
pikrakpzu
@pikrakpzu
@albogdano :thumbsup:
pikrakpzu
@pikrakpzu

Still no success with oauth.groups.
I changed the configuration like this:

para.security.oauth.groups_attribute_name = "/attributes/MemberOf"
para.security.oauth.admins_equivalent_claim_value = ".*?USER_SCOOLD.*"
para.security.oauth.users_equivalent_claim_value = ".*?USER_xxx_SCOOLD.*"

Signed in multiple times as user which in /attributes/MemberOf array has:
"CN=USER_SCOOLD,CN=SCOOLD,CN=Groups,O=COMPANY"

As a result, I was able to access Scoold at the user level every time.
The expected result is a sign in error due to missing .*?USER_xxx_SCOOLD.*, but it never occured.
Alternatively, administrator privileges should be granted, but they were not.
Since nothing happens I suspect the problem is in para.security.oauth.groups_attribute_name = "/attributes/MemberOf".

Which logs can I switch to trace whats going on with OIDC auth process in Scoold?
With default levels there is nothing in logs about signing in.
The only lines in Para's log worth noting are:

2022-02-10 12:45:23 [WARN ] null
com.nimbusds.jose.KeyLengthException: The secret length must be at least 256 bits
        at com.nimbusds.jose.crypto.impl.MACProvider.<init>(MACProvider.java:118)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:168)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:81)
        at com.nimbusds.jose.crypto.MACVerifier.<init>(MACVerifier.java:97)
        at com.erudika.para.server.security.SecurityUtils.isValidJWToken(SecurityUtils.java:225)
        at com.erudika.para.server.security.filters.PasswordlessAuthFilter.getOrCreateUser(PasswordlessAuthFilter.java:115)
        at com.erudika.para.server.security.JWTRestfulAuthFilter.getOrCreateUser(JWTRestfulAuthFilter.java:313)
...
2022-02-10 12:45:23 [TRACE] Invoking JWTRestfulAuthFilter (22/28)
2022-02-10 12:45:23 [DEBUG] Checking match of request : '/v1/_id/6202552ce54b5b05c40cf670:profile'; against '^/v\d[\.\d]*/.*'
2022-02-10 12:45:23 [TRACE] Invoking RestAuthFilter (23/28)
2022-02-10 12:45:23 [DEBUG] Checking match of request : '/v1/_id/6202552ce54b5b05c40cf670:profile'; against '^/v\d[\.\d]*/.*'
2022-02-10 12:45:23 [TRACE] Invoking RememberMeAuthenticationFilter (24/28)
2022-02-10 12:45:23 [DEBUG] SecurityContextHolder not populated with remember-me token, as it already contained: 'com.erudika.para.server.security.AppAuthentication@149545c2'

I can prowide full stacktrace if it would help.

Alex Bogdanovski
@albogdano
@pikrakpzu in order for the user roles setting to work, you have to be a regular user and have a payload form the identity provider like this:
{
    "sub": "username",
    "auth_time": 1531571734,
    "attributes": {
        "Office": "Full office name",
        "CN": "User Name",
        "credentialType": "Type",
        "DisplayName": "User Name (Office)",
        "DN": "uid=username,CN=Users,O=COMPANY",
        "Email": "username@company.com",
        "FN": "Firstname",
        "MemberOf": [
                                               "CN=UX_some_role,CN=UXUSER,CN=UX,CN=Groups,O=COMPANY",
                                               "CN=confluence-users,CN=CF_PROD,CN=CF,CN=Groups,O=COMPANY",
                                               "CN=wiki_space_pcpzu_edytor,CN=CF_PROD,CN=CF,CN=Groups,O=COMPANY",
                                               "CN=USER_xxx_SCOOLD,CN=SCOOLD,CN=Groups,O=COMPANY",
                                               "CN=OTHER_SUPERUSER,CN=OTHER,CN=OS,CN=Groups,O=COMPANY"
        ],
        "Name": "username",
        "LN": "Lastname",
        "UID": "username"
    },
    "id": "username"
}
if for some reason the MemberOf object contains both the admins role USER_SCOOLD and USER_xxx_SCOOLD then you will be given the admin rights and you will be able to sign in
Alex Bogdanovski
@albogdano
only if the MemberOf array does not contain USER_xxx_SCOOLD will the user be deactivated
if for some reason your account is an admin account you won't be able to see this working
admin privileges are granted on login, not immediately
also make sure that you have para.security.oauth2.token_delegation_enabled = true
Alex Bogdanovski
@albogdano
@pikrakpzu you can update Para to the :latest tag and you should see a debug message about the values of the returned OAuth2 access tokens and Id tokens. based on that we can debug the situation.
Scoold will merged the values of the ID token into the access token so the two payloads are combined into one object. Then Scoold will try to parse that object and find the appropriate groups
Alex Bogdanovski
@albogdano
para.security.oauth2.token_delegation_enabled = true must be placed in the Scoold configuration file
pikrakpzu
@pikrakpzu

if for some reason the MemberOf object contains both ...

USER_xxx_SCOOLD does not exists, it's purposefully prepared for Scoold config to make sure it does not exists in MemberOf.

if for some reason your account is an admin account ...

It's not. Double checked, even removed para.admins from config. Also removing user (from UI by other admin user) has no effect on recreated perms.

also make sure that you have para.security.oauth2.token_delegation_enabled = true

It is set to true.

update Para to the :latest tag

Would be great to have Para :latest-base to test on existing test env as much as possible close to production (config/elastic/mongo).
If it's a hassle, I'll setup new test env with :latest.

Alex Bogdanovski
@albogdano
@pikrakpzu hm, I haven't though about that actually - creating the new tag now
Alex Bogdanovski
@albogdano
I think something gets overwritten on the way back from the identity provider to Scoold, or the returned access token payload is different from what you expect it to be.
btw, how did you find the value of that OIDC JSON content above? Did you debug the request?
Alex Bogdanovski
@albogdano
docker pull erudikaltd/para:latest-base should now work
pikrakpzu
@pikrakpzu
@albogdano I didn't debug, I used Postman to verify content of the response and tokens.
Also can't start para:latest-base with para-dao-mongodb:1.37.1 and para-search-elasticsearch:1.38.2, Para is reseting with stack:
Exception in thread "main" java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ... 7 more
Caused by: java.util.ServiceConfigurationError: com.erudika.para.core.search.Search: Provider com.erudika.para.server.search.ElasticSearch could not be instantiated
    at java.base/java.util.ServiceLoader.fail(Unknown Source)
    at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(Unknown Source)
    at java.base/java.util.ServiceLoader$ProviderImpl.get(Unknown Source)
    at java.base/java.util.ServiceLoader$3.next(Unknown Source)
    at com.erudika.para.server.search.SearchModule.loadExternalSearch(SearchModule.java:55)
    at com.erudika.para.server.search.SearchModule.configure(SearchModule.java:34)
    at com.google.inject.AbstractModule.configure(AbstractModule.java:64)
    at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:409)
    at com.google.inject.spi.Elements.getElements(Elements.java:108)
    at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:160)
    at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
    at com.google.inject.Guice.createInjector(Guice.java:87)
    at com.erudika.para.server.ParaServer.initialize(ParaServer.java:139)
    at com.erudika.para.server.ParaServer.runAsJAR(ParaServer.java:424)
    at com.erudika.para.server.ParaServer.main(ParaServer.java:433)
    at com.erudika.para.jar.Run.main(Run.java:28)
    ... 8 more
Caused by: java.lang.NoSuchMethodError: 'boolean com.erudika.para.core.utils.Config.isSearchEnabled()'
    at com.erudika.para.server.search.ElasticSearch.<clinit>(ElasticSearch.java:104)
    ... 27 more