Merge branch 'master' of github-chisom:dhis2/dhis2-core into DHIS2-18…

…585/login-fallback-error
dhis2 · Dec 11, 2024 · 4fc19b7 · 4fc19b7
2 parents d461569 + 2c6105d
commit 4fc19b7
Show file tree

Hide file tree

Showing 138 changed files with 3,246 additions and 2,484 deletions.
diff --git a/...session/SpringHttpSessionInitializer.java → ...g/hisp/dhis/audit/AuditOperationType.java b/...session/SpringHttpSessionInitializer.java → ...g/hisp/dhis/audit/AuditOperationType.java
@@ -25,16 +25,16 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-package org.hisp.dhis.webapi.security.session;
-
-import org.hisp.dhis.webapi.filter.DefaultSessionConfig;
-import org.springframework.session.web.context.AbstractHttpSessionApplicationInitializer;
+package org.hisp.dhis.audit;
 
 /**
- * This is used for adding springSessionRepositoryFilter into the filter chain. The actual filter
- * bean used will be either backed by redis from the {@link RedisSpringSessionConfig} or a dummy
- * filter from {@link DefaultSessionConfig}.
- *
- * @author Ameen Mohamed
+ * @author Halvdan Hoem Grelland
+ * @author Luca Cambi split Changelog from Audit
  */
-public class SpringHttpSessionInitializer extends AbstractHttpSessionApplicationInitializer {}
+public enum AuditOperationType {
+  CREATE,
+  UPDATE,
+  DELETE,
+  READ,
+  SEARCH
+}
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/changelog/ChangeLogType.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/changelog/ChangeLogType.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004-2022, University of Oslo
+ * Copyright (c) 2004-2024, University of Oslo
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27,14 +27,8 @@
  */
 package org.hisp.dhis.changelog;
 
-/**
- * @author Halvdan Hoem Grelland
- * @author Luca Cambi split Changelog from Audit
- */
 public enum ChangeLogType {
   CREATE,
   UPDATE,
-  DELETE,
-  READ,
-  SEARCH
+  DELETE
 }
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/CodeGenerator.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/CodeGenerator.java
@@ -143,6 +143,28 @@ public static char[] generateSecureRandomCode(int codeSize) {
     return generateRandomAlphanumericCode(codeSize, sr);
   }
 
+  public static byte[] generateSecureRandomBytes(int length) {
+    SecureRandom sr = SecureRandomHolder.GENERATOR;
+    byte[] bytes = new byte[length];
+    sr.nextBytes(bytes);
+    return bytes;
+  }
+
+  /**
+   * Generates a string of random numeric characters.
+   *
+   * @param length the number of characters in the code.
+   * @return the code.
+   */
+  public static char[] generateSecureRandomNumber(int length) {
+    char[] digits = new char[length];
+    SecureRandom sr = SecureRandomHolder.GENERATOR;
+    for (int i = 0; i < length; i++) {
+      digits[i] = (char) ('0' + sr.nextInt(10));
+    }
+    return digits;
+  }
+
   /**
    * Generates a random secure token.
    *

diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/datavalue/DataValueAudit.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/datavalue/DataValueAudit.java
@@ -32,8 +32,8 @@
 import com.google.common.base.MoreObjects;
 import java.util.Date;
 import java.util.Objects;
+import org.hisp.dhis.audit.AuditOperationType;
 import org.hisp.dhis.category.CategoryOptionCombo;
-import org.hisp.dhis.changelog.ChangeLogType;
 import org.hisp.dhis.common.DxfNamespaces;
 import org.hisp.dhis.dataelement.DataElement;
 import org.hisp.dhis.organisationunit.OrganisationUnit;
@@ -62,7 +62,7 @@ public class DataValueAudit {
 
   private Date created;
 
-  private ChangeLogType auditType;
+  private AuditOperationType auditType;
 
   // -------------------------------------------------------------------------
   // Constructors
@@ -71,7 +71,7 @@ public class DataValueAudit {
   public DataValueAudit() {}
 
   public DataValueAudit(
-      DataValue dataValue, String value, String modifiedBy, ChangeLogType auditType) {
+      DataValue dataValue, String value, String modifiedBy, AuditOperationType auditType) {
     this.dataElement = dataValue.getDataElement();
     this.period = dataValue.getPeriod();
     this.organisationUnit = dataValue.getSource();
@@ -91,7 +91,7 @@ public DataValueAudit(
       CategoryOptionCombo attributeOptionCombo,
       String value,
       String modifiedBy,
-      ChangeLogType auditType) {
+      AuditOperationType auditType) {
     this.dataElement = dataElement;
     this.period = period;
     this.organisationUnit = organisationUnit;
@@ -277,11 +277,11 @@ public void setCreated(Date created) {
 
   @JsonProperty
   @JacksonXmlProperty(namespace = DxfNamespaces.DXF_2_0)
-  public ChangeLogType getAuditType() {
+  public AuditOperationType getAuditType() {
     return auditType;
   }
 
-  public void setAuditType(ChangeLogType auditType) {
+  public void setAuditType(AuditOperationType auditType) {
     this.auditType = auditType;
   }
 }
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/datavalue/DataValueAuditQueryParams.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/datavalue/DataValueAuditQueryParams.java
@@ -31,8 +31,8 @@
 import java.util.List;
 import lombok.Data;
 import lombok.experimental.Accessors;
+import org.hisp.dhis.audit.AuditOperationType;
 import org.hisp.dhis.category.CategoryOptionCombo;
-import org.hisp.dhis.changelog.ChangeLogType;
 import org.hisp.dhis.common.Pager;
 import org.hisp.dhis.dataelement.DataElement;
 import org.hisp.dhis.organisationunit.OrganisationUnit;
@@ -56,7 +56,7 @@ public class DataValueAuditQueryParams {
 
   private CategoryOptionCombo attributeOptionCombo;
 
-  private List<ChangeLogType> auditTypes = new ArrayList<>();
+  private List<AuditOperationType> auditTypes = new ArrayList<>();
 
   private Pager pager;
 

diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/feedback/ErrorCode.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/feedback/ErrorCode.java
@@ -71,7 +71,7 @@ public enum ErrorCode {
   E1125("Category option combo {0} contains options not associated with category combo {1}"),
   E1126("Category combo {0} cannot combine more than {1} categories, but had: {2}"),
   E1127("Category {0} cannot have more than {1} options, but had: {2} "),
-  E1128("Category combo {0} cannot have more than {1} combinations, bud requires: {2}"),
+  E1128("Category combo {0} cannot have more than {1} combinations, but requires: {2}"),
 
   /* Org unit merge */
   E1500("At least two source orgs unit must be specified"),
@@ -199,21 +199,31 @@ public enum ErrorCode {
   E3020(
       "You must have permissions to create user, or ability to manage at least one user group for the user"),
   E3021("Not allowed to disable 2FA for current user"),
-  E3022("User has two factor authentication enabled, disable 2FA before you create a new QR code"),
+  E3022("User has 2FA enabled already, disable 2FA before you try to enroll again"),
   E3023("Invalid 2FA code"),
   E3024("Not allowed to disable 2FA"),
   E3025("No current user"),
   E3026("Could not generate QR code"),
   E3027("No currentUser available"),
-  E3028("User must have a secret"),
-  E3029("User must call the /qrCode endpoint first"),
+  E3028("User must have a 2FA secret"),
+  E3029("User must start 2FA enrollment first"),
   E3030(
-      "User cannot update their own user's 2FA settings via this API endpoint, must use /2fa/enable or disable API"),
-  E3031("Two factor authentication is not enabled"),
+      "User cannot update their own user's 2FA settings via this API endpoint, must use /2fa/enable or /2fa/disable API"),
+  E3031("User has not enabled 2FA"),
   E3032("User `{0}` does not have access to user role"),
   E3040("Could not resolve JwsAlgorithm from the JWK. Can not write a valid JWKSet"),
   E3041("User `{0}` is not allowed to change a user having the ALL authority"),
   E3042("Too many failed disable attempts. Please try again later"),
+  E3043(
+      "User does not have a verified email, please verify your email before you try to enable 2FA"),
+  E3044("TOTP 2FA is not enabled"),
+  E3045("Email based 2FA is not enabled in the system settings"),
+  E3046("TOTP 2FA is not enabled in the system settings"),
+  E3047("User is not in TOTP 2FA enrollment mode"),
+  E3048("User does not have email 2FA enabled"),
+  E3049("Sending 2FA code with email failed"),
+  E3050("2FA code can not be null or empty"),
+  E3051("2FA code was sent to the user's email"),
 
   /* Metadata Validation */
   E4000("Missing required property `{0}`"),

diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/security/twofa/TwoFactorType.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/security/twofa/TwoFactorType.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2004-2024, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.hisp.dhis.security.twofa;
+
+import lombok.Getter;
+
+@Getter
+public enum TwoFactorType {
+  NOT_ENABLED,
+  TOTP_ENABLED,
+  EMAIL_ENABLED,
+  ENROLLING_TOTP, // User is in the process of enrolling in TOTP 2FA
+  ENROLLING_EMAIL; // User is in the process of enrolling in email-based 2FA
+
+  public boolean isEnrolling() {
+    return this == ENROLLING_TOTP || this == ENROLLING_EMAIL;
+  }
+
+  public TwoFactorType getEnabledType() {
+    if (this == ENROLLING_TOTP) {
+      return TOTP_ENABLED;
+    } else if (this == ENROLLING_EMAIL) {
+      return EMAIL_ENABLED;
+    } else {
+      return this;
+    }
+  }
+
+  public boolean isEnabled() {
+    return this == TOTP_ENABLED || this == EMAIL_ENABLED;
+  }
+}
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/setting/SystemSettings.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/setting/SystemSettings.java
@@ -721,6 +721,14 @@ default String getGlobalShellAppName() {
     return asString("globalShellAppName", "global-app-shell");
   }
 
+  default boolean getEmail2FAEnabled() {
+    return asBoolean("email2FAEnabled", false);
+  }
+
+  default boolean getTOTP2FAEnabled() {
+    return asBoolean("totp2FAEnabled", true);
+  }
+
   /**
    * @return true if email verification is enforced for all users.
    */

diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/trackedentity/ApiTrackedEntityAuditService.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/trackedentity/ApiTrackedEntityAuditService.java
@@ -27,7 +27,7 @@
  */
 package org.hisp.dhis.trackedentity;
 
-import org.hisp.dhis.changelog.ChangeLogType;
+import org.hisp.dhis.audit.AuditOperationType;
 
 /**
  * @author Abyot Asalefew Gizaw [email protected]
@@ -38,5 +38,5 @@ public interface ApiTrackedEntityAuditService {
   String ID = ApiTrackedEntityAuditService.class.getName();
 
   void addTrackedEntityAudit(
-      TrackedEntity trackedEntity, String username, ChangeLogType changeLogType);
+      TrackedEntity trackedEntity, String username, AuditOperationType auditOperationType);
 }
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/trackedentity/TrackedEntityAudit.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/trackedentity/TrackedEntityAudit.java
@@ -33,7 +33,7 @@
 import java.io.Serializable;
 import java.util.Date;
 import java.util.Objects;
-import org.hisp.dhis.changelog.ChangeLogType;
+import org.hisp.dhis.audit.AuditOperationType;
 import org.hisp.dhis.common.DxfNamespaces;
 
 /**
@@ -55,15 +55,15 @@ public class TrackedEntityAudit implements Serializable {
 
   private String accessedBy;
 
-  private ChangeLogType auditType;
+  private AuditOperationType auditType;
 
   // -------------------------------------------------------------------------
   // Constructors
   // -------------------------------------------------------------------------
 
   public TrackedEntityAudit() {}
 
-  public TrackedEntityAudit(String trackedEntity, String accessedBy, ChangeLogType auditType) {
+  public TrackedEntityAudit(String trackedEntity, String accessedBy, AuditOperationType auditType) {
     this.trackedEntity = trackedEntity;
     this.accessedBy = accessedBy;
     this.created = new Date();
@@ -75,8 +75,8 @@ public TrackedEntityAudit(
       String comment,
       Date created,
       String accessedBy,
-      ChangeLogType changeLogType) {
-    this(trackedEntity, accessedBy, changeLogType);
+      AuditOperationType auditOperationType) {
+    this(trackedEntity, accessedBy, auditOperationType);
     this.comment = comment;
     this.created = created;
   }
@@ -159,11 +159,11 @@ public void setAccessedBy(String accessedBy) {
 
   @JsonProperty
   @JacksonXmlProperty(namespace = DxfNamespaces.DXF_2_0)
-  public ChangeLogType getAuditType() {
+  public AuditOperationType getAuditType() {
     return auditType;
   }
 
-  public void setAuditType(ChangeLogType auditType) {
+  public void setAuditType(AuditOperationType auditType) {
     this.auditType = auditType;
   }
 }
diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/trackedentity/TrackedEntityAuditQueryParams.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/trackedentity/TrackedEntityAuditQueryParams.java
@@ -32,7 +32,7 @@
 import java.util.List;
 import lombok.Data;
 import lombok.experimental.Accessors;
-import org.hisp.dhis.changelog.ChangeLogType;
+import org.hisp.dhis.audit.AuditOperationType;
 import org.hisp.dhis.common.Pager;
 
 /**
@@ -45,7 +45,7 @@ public class TrackedEntityAuditQueryParams {
 
   private List<String> users = new ArrayList<>();
 
-  private List<ChangeLogType> auditTypes = new ArrayList<>();
+  private List<AuditOperationType> auditTypes = new ArrayList<>();
 
   private Date startDate = null;
 

diff --git a/dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/SystemUser.java b/dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/SystemUser.java
@@ -33,6 +33,7 @@
 import javax.annotation.Nonnull;
 import org.hisp.dhis.common.CodeGenerator;
 import org.hisp.dhis.security.Authorities;
+import org.hisp.dhis.security.twofa.TwoFactorType;
 import org.springframework.security.core.GrantedAuthority;
 
 /**
@@ -88,6 +89,11 @@ public boolean isSuper() {
     return true;
   }
 
+  @Override
+  public String getSecret() {
+    return "";
+  }
+
   @Override
   public String getUid() {
     return "XXXXXSystem";
@@ -184,6 +190,11 @@ public boolean isTwoFactorEnabled() {
     return false;
   }
 
+  @Override
+  public TwoFactorType getTwoFactorType() {
+    return TwoFactorType.NOT_ENABLED;
+  }
+
   @Override
   public boolean isEmailVerified() {
     return true;