fix(secure): remove user list from roles and permissions field to avoid leaking userlist (#1614)

* fix(secure): remove user list from roles and permissions field to avoid leaking userlist

Signed-off-by: fengxsong <fengxsong@outlook.com>

* Update permission.go

* Update role.go

---------

Signed-off-by: fengxsong <fengxsong@outlook.com>
Co-authored-by: hsluoyz <hsluoyz@qq.com>

.github/workflows/migrate.yml

@@ -0,0 +1,61 @@
+name: Migration Test
+
+on:
+  push:
+    paths:
+      - 'object/migrator**'
+  pull_request:
+    paths:
+      - 'object/migrator**'
+
+jobs:
+
+  db-migrator-test:
+    name: db-migrator-test
+    runs-on: ubuntu-latest
+    services:
+      mysql:
+        image: mysql:5.7
+        env:
+          MYSQL_DATABASE: casdoor
+          MYSQL_ROOT_PASSWORD: 123456
+        ports:
+          - 3306:3306
+        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.16.5'
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 16
+      - name: pull casdoor-master-latest
+        run: |
+          sudo apt update
+          sudo apt install git
+          sudo apt install net-tools
+          sudo mkdir tmp
+          cd tmp
+          sudo git clone https://github.com/casdoor/casdoor.git
+          cd ..
+        working-directory: ./
+      - name: run casdoor-master-latest
+        run: |
+          sudo nohup go run main.go &
+          sudo sleep 2m
+        working-directory: ./tmp/casdoor
+      - name: stop casdoor-master-latest
+        run: |
+          sudo kill -9 `sudo netstat -anltp | grep 8000 | awk '{print $7}' | cut -d / -f 1`
+        working-directory: ./
+      - name: run casdoor-current-version
+        run: |
+          sudo nohup go run ./main.go &
+          sudo sleep 2m
+        working-directory: ./
+      - name: test port-8000
+        run: |
+          if [[ `sudo netstat -anltp | grep 8000 | awk '{print $7}'` == "" ]];then echo 'db-migrator-test fail' && exit 1;fi;
+          echo 'db-migrator-test pass'
+        working-directory: ./

authz/authz.go

@@ -160,7 +160,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 
 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information

controllers/account.go

@@ -296,7 +296,9 @@ func (c *ApiController) Logout() {
 
 			c.ClearUserSession()
 			// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-			object.DeleteSessionId(util.GetSessionId(object.CasdoorOrganization, object.CasdoorApplication, user), c.Ctx.Input.CruSession.SessionID())
+			owner, username := util.GetOwnerAndNameFromId(user)
+
+			object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
 			util.LogInfo(c.Ctx, "API: [%s] logged out", user)
 
 			c.Ctx.Redirect(http.StatusFound, fmt.Sprintf("%s?state=%s", strings.TrimRight(redirectUri, "/"), state))

manifests/casdoor/templates/configmap.yaml

@@ -1,23 +1,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: casdoor-config
+  name: {{ printf "%s-config" (include "casdoor.fullname" .) }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
 data:
-  app.conf: |
-    appname = casdoor
-    httpport = 80
-    runmode = dev
-    SessionOn = true
-    copyrequestbody = true
-    driverName = mysql
-    dataSourceName = root:123456@tcp(localhost:3306)/
-    dbName = casdoor
-    redisEndpoint =
-    defaultStorageProvider = 
-    isCloudIntranet = false
-    authState = "casdoor"
-    socks5Proxy = "127.0.0.1:10808"
-    verificationCodeTimeout = 10
-    initScore = 2000
-    logPostOnly = true
-    origin = "https://door.casbin.com"
+  app.conf: {{ tpl .Values.config . | toYaml | nindent 4 }}

manifests/casdoor/templates/deployment.yaml

@@ -13,10 +13,11 @@ spec:
       {{- include "casdoor.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        checksum/config: {{ tpl .Values.config . | toYaml | sha256sum }}
+        {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "casdoor.selectorLabels" . | nindent 8 }}
     spec:
@@ -34,18 +35,25 @@ spec:
           image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           # command: ["sleep", "100000000"]
+          env:
+            - name: RUNNING_IN_DOCKER
+              value: "true"
           ports:
             - name: http
-              containerPort: 80
+              containerPort: {{ .Values.service.port }}
               protocol: TCP
-          # livenessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: http
-          # readinessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: http
+          {{ if .Values.probe.liveness.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          {{ end }}
+          {{ if .Values.probe.readiness.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          {{ end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
@@ -60,7 +68,7 @@ spec:
                items:
                - key: app.conf
                  path: app.conf
-               name: casdoor-config
+               name: {{ printf "%s-config" (include "casdoor.fullname" .) }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

manifests/casdoor/values.yaml

@@ -6,11 +6,31 @@ replicaCount: 1
 
 image:
   repository: casbin
-  name: casdoor-all-in-one
+  name: casdoor
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
+# ref: https://casdoor.org/docs/basic/server-installation#via-ini-file
+config: |
+  appname = casdoor
+  httpport = {{ .Values.service.port }}
+  runmode = dev
+  SessionOn = true
+  copyrequestbody = true
+  driverName = sqlite
+  dataSourceName = "file:ent?mode=memory&cache=shared&_fk=1"
+  dbName = casdoor
+  redisEndpoint =
+  defaultStorageProvider = 
+  isCloudIntranet = false
+  authState = "casdoor"
+  socks5Proxy = ""
+  verificationCodeTimeout = 10
+  initScore = 2000
+  logPostOnly = true
+  origin = "https://door.casbin.com"
+
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
@@ -37,9 +57,15 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1000
 
+probe:
+  readiness:
+    enabled: true
+  liveness:
+    enabled: true
+
 service:
   type: ClusterIP
-  port: 80
+  port: 8000
 
 ingress:
   enabled: false

object/permission.go

@@ -245,6 +245,10 @@ func GetPermissionsByUser(userId string) []*Permission {
 		panic(err)
 	}
 
+	for i := range permissions {
+		permissions[i].Users = nil
+	}
+
 	return permissions
 }
 

object/role.go

@@ -159,6 +159,10 @@ func GetRolesByUser(userId string) []*Role {
 		panic(err)
 	}
 
+	for i := range roles {
+		roles[i].Users = nil
+	}
+
 	return roles
 }
 

web/src/ResetModal.js

@@ -25,7 +25,7 @@ export const ResetModal = (props) => {
   const [confirmLoading, setConfirmLoading] = React.useState(false);
   const [dest, setDest] = React.useState("");
   const [code, setCode] = React.useState("");
-  const {buttonText, destType, application, account} = props;
+  const {buttonText, destType, application, countryCode} = props;
 
   const showModal = () => {
     setVisible(true);
@@ -87,7 +87,7 @@ export const ResetModal = (props) => {
           <Row style={{width: "100%", marginBottom: "20px"}}>
             <Input
               addonBefore={destType === "email" ? i18next.t("user:New Email") : i18next.t("user:New phone")}
-              prefix={destType === "email" ? <React.Fragment><MailOutlined />&nbsp;&nbsp;</React.Fragment> : (<React.Fragment><PhoneOutlined />&nbsp;&nbsp;{`+${Setting.getCountryCode(account.countryCode)}`}&nbsp;</React.Fragment>)}
+              prefix={destType === "email" ? <React.Fragment><MailOutlined />&nbsp;&nbsp;</React.Fragment> : (<React.Fragment><PhoneOutlined />&nbsp;&nbsp;{countryCode !== "" ? "+" : null}{Setting.getCountryCode(countryCode)}&nbsp;</React.Fragment>)}
               placeholder={placeholder}
               onChange={e => setDest(e.target.value)}
             />

web/src/Setting.js

@@ -209,7 +209,10 @@ export function initCountries() {
 }
 
 export function getCountryCode(country) {
-  return phoneNumber.getCountryCallingCode(country);
+  if (phoneNumber.isSupportedCountry(country)) {
+    return phoneNumber.getCountryCallingCode(country);
+  }
+  return "";
 }
 
 export function getCountryCodeData(countryCodes = phoneNumber.getCountries()) {

web/src/UserEditPage.js

@@ -138,6 +138,10 @@ class UserEditPage extends React.Component {
     return this.isSelf() || Setting.isAdminUser(this.props.account);
   }
 
+  getCountryCode() {
+    return this.props.account.countryCode;
+  }
+
   renderAccountItem(accountItem) {
     if (!accountItem.visible) {
       return null;
@@ -296,7 +300,7 @@ class UserEditPage extends React.Component {
           </Col>
           <Col span={Setting.isMobile() ? 22 : 11} >
             {/* backend auto get the current user, so admin can not edit. Just self can reset*/}
-            {this.isSelf() ? <ResetModal application={this.state.application} account={this.props.account} disabled={disabled} buttonText={i18next.t("user:Reset Email...")} destType={"email"} /> : null}
+            {this.isSelf() ? <ResetModal application={this.state.application} disabled={disabled} buttonText={i18next.t("user:Reset Email...")} destType={"email"} /> : null}
           </Col>
         </Row>
       );
@@ -326,7 +330,7 @@ class UserEditPage extends React.Component {
             </Input.Group>
           </Col>
           <Col span={Setting.isMobile() ? 24 : 11} >
-            {this.isSelf() ? (<ResetModal application={this.state.application} account={this.props.account} disabled={disabled} buttonText={i18next.t("user:Reset Phone...")} destType={"phone"} />) : null}
+            {this.isSelf() ? (<ResetModal application={this.state.application} countryCode={this.getCountryCode()} disabled={disabled} buttonText={i18next.t("user:Reset Phone...")} destType={"phone"} />) : null}
           </Col>
         </Row>
       );

web/src/auth/LoginPage.js

@@ -378,6 +378,13 @@ class LoginPage extends React.Component {
     }
 
     if (application.enablePassword) {
+      let loginWidth = 320;
+      if (Setting.getLanguage() === "fr") {
+        loginWidth += 10;
+      } else if (Setting.getLanguage() === "es") {
+        loginWidth += 40;
+      }
+
       return (
         <Form
           name="normal_login"
@@ -391,7 +398,7 @@ class LoginPage extends React.Component {
           onFinish={(values) => {
             this.onFinish(values);
           }}
-          style={{width: "300px"}}
+          style={{width: `${loginWidth}px`}}
           size="large"
           ref={this.form}
         >

web/src/common/CaptchaModal.js

@@ -38,6 +38,7 @@ export const CaptchaModal = ({
   const [captchaToken, setCaptchaToken] = React.useState("");
   const [secret, setSecret] = React.useState(clientSecret);
   const [secret2, setSecret2] = React.useState(clientSecret2);
+  const defaultInputRef = React.useRef(null);
 
   useEffect(() => {
     setVisible(() => {
@@ -67,6 +68,8 @@ export const CaptchaModal = ({
       if (captchaType === "Default") {
         setSecret(res.captchaId);
         setCaptchaImg(res.captchaImage);
+
+        defaultInputRef.current?.focus();
       } else {
         setSecret(res.clientSecret);
         setSecret2(res.clientSecret2);
@@ -76,28 +79,31 @@ export const CaptchaModal = ({
 
   const renderDefaultCaptcha = () => {
     return (
-      <Col>
-        <Row
-          style={{
-            backgroundImage: `url('data:image/png;base64,${captchaImg}')`,
-            backgroundRepeat: "no-repeat",
-            height: "80px",
-            width: "200px",
-            borderRadius: "5px",
-            border: "1px solid #ccc",
-            marginBottom: 10,
-          }}
-        />
-        <Row>
-          <Input
-            autoFocus
-            value={captchaToken}
-            prefix={<SafetyOutlined />}
-            placeholder={i18next.t("general:Captcha")}
-            onPressEnter={handleOk}
-            onChange={(e) => setCaptchaToken(e.target.value)}
+      <Col style={{textAlign: "center"}}>
+        <div style={{display: "inline-block"}}>
+          <Row
+            style={{
+              backgroundImage: `url('data:image/png;base64,${captchaImg}')`,
+              backgroundRepeat: "no-repeat",
+              height: "80px",
+              width: "200px",
+              borderRadius: "5px",
+              border: "1px solid #ccc",
+              marginBottom: "20px",
+            }}
           />
-        </Row>
+          <Row>
+            <Input
+              ref={defaultInputRef}
+              style={{width: "200px"}}
+              value={captchaToken}
+              prefix={<SafetyOutlined />}
+              placeholder={i18next.t("general:Captcha")}
+              onPressEnter={handleOk}
+              onChange={(e) => setCaptchaToken(e.target.value)}
+            />
+          </Row>
+        </div>
       </Col>
     );
   };
@@ -129,14 +135,22 @@ export const CaptchaModal = ({
   };
 
   const renderFooter = () => {
+    let isOkDisabled = false;
+    if (captchaType === "Default") {
+      const regex = /^\d{5}$/;
+      if (!regex.test(captchaToken)) {
+        isOkDisabled = true;
+      }
+    }
+
     if (canCancel) {
       return [
         <Button key="cancel" onClick={handleCancel}>{i18next.t("user:Cancel")}</Button>,
-        <Button key="ok" type="primary" onClick={handleOk}>{i18next.t("user:OK")}</Button>,
+        <Button key="ok" disabled={isOkDisabled} type="primary" onClick={handleOk}>{i18next.t("user:OK")}</Button>,
       ];
     } else {
       return [
-        <Button key="ok" type="primary" onClick={handleOk}>{i18next.t("user:OK")}</Button>,
+        <Button key="ok" disabled={isOkDisabled} type="primary" onClick={handleOk}>{i18next.t("user:OK")}</Button>,
       ];
     }
   };
@@ -152,7 +166,11 @@ export const CaptchaModal = ({
         width={348}
         footer={renderFooter()}
       >
-        {renderCheck()}
+        <div style={{marginTop: "20px", marginBottom: "50px"}}>
+          {
+            renderCheck()
+          }
+        </div>
       </Modal>
     </React.Fragment>
   );