Merge branch 'development' into release

Author: ssddanbrown

.env.example.complete

@@ -215,10 +215,11 @@ LDAP_SERVER=false
 LDAP_BASE_DN=false
 LDAP_DN=false
 LDAP_PASS=false
-LDAP_USER_FILTER=false
+LDAP_USER_FILTER="(&(uid={user}))"
 LDAP_VERSION=false
 LDAP_START_TLS=false
 LDAP_TLS_INSECURE=false
+LDAP_TLS_CA_CERT=false
 LDAP_ID_ATTRIBUTE=uid
 LDAP_EMAIL_ATTRIBUTE=mail
 LDAP_DISPLAY_NAME_ATTRIBUTE=cn
@@ -267,6 +268,7 @@ OIDC_ISSUER_DISCOVER=false
 OIDC_PUBLIC_KEY=null
 OIDC_AUTH_ENDPOINT=null
 OIDC_TOKEN_ENDPOINT=null
+OIDC_USERINFO_ENDPOINT=null
 OIDC_ADDITIONAL_SCOPES=null
 OIDC_DUMP_USER_DETAILS=false
 OIDC_USER_TO_GROUPS=false
@@ -324,6 +326,14 @@ FILE_UPLOAD_SIZE_LIMIT=50
 # Can be 'a4' or 'letter'.
 EXPORT_PAGE_SIZE=a4
 
+# Export PDF Command
+# Set a command which can be used to convert a HTML file into a PDF file.
+# When false this will not be used.
+# String values represent the command to be called for conversion.
+# Supports '{input_html_path}' and '{output_pdf_path}' placeholder values.
+# Example: EXPORT_PDF_COMMAND="/scripts/convert.sh {input_html_path} {output_pdf_path}"
+EXPORT_PDF_COMMAND=false
+
 # Set path to wkhtmltopdf binary for PDF generation.
 # Can be 'false' or a path path like: '/home/bins/wkhtmltopdf'
 # When false, BookStack will attempt to find a wkhtmltopdf in the application

.github/translators.txt

@@ -389,7 +389,7 @@ Marc Hagen (MarcHagen) :: Dutch
 Kasper Alsøe (zeonos) :: Danish
 sultani :: Persian
 renge :: Korean
-TheGatesDev (thegatesdev) :: Dutch
+Tim (thegatesdev) :: Dutch; German Informal; Romanian; French; Catalan; Czech; Danish; German; Finnish; Hungarian; Italian; Japanese; Korean; Polish; Russian; Ukrainian; Chinese Simplified; Chinese Traditional; Portuguese, Brazilian; Persian; Spanish, Argentina; Croatian; Norwegian Nynorsk; Estonian; Uzbek; Norwegian Bokmal
 Irdi (irdiOL) :: Albanian
 KateBarber :: Welsh
 Twister (theuncles75) :: Hebrew
@@ -410,3 +410,15 @@ cracrayol :: French
 CapuaSC :: Dutch
 Guardian75 :: German Informal
 mr-kanister :: German
+Michele Bastianelli (makoblaster) :: Italian
+jespernissen :: Danish
+Andrey (avmaksimov) :: Russian
+Gonzalo Loyola (AlFcl) :: Spanish, Argentina; Spanish
+grobert63 :: French
+wusst. (Supporti) :: German
+MaximMaximS :: Czech
+damian-klima :: Slovak
+crow_ :: Latvian
+JocelynDelalande :: French
+Jan (JW-CH) :: German Informal
+Timo B (lommes) :: German Informal

.github/workflows/analyse-php.yml

@@ -18,7 +18,7 @@ jobs:
     - name: Setup PHP
       uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.1
+        php-version: 8.3
         extensions: gd, mbstring, json, curl, xml, mysql, ldap
 
     - name: Get Composer Cache Directory
@@ -27,10 +27,10 @@ jobs:
         echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache composer packages
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
-        key: ${{ runner.os }}-composer-8.1
+        key: ${{ runner.os }}-composer-8.3
         restore-keys: ${{ runner.os }}-composer-
 
     - name: Install composer dependencies

.github/workflows/test-migrations.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        php: ['8.0', '8.1', '8.2', '8.3']
+        php: ['8.1', '8.2', '8.3']
     steps:
       - uses: actions/checkout@v1
 
@@ -32,7 +32,7 @@ jobs:
           echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
           key: ${{ runner.os }}-composer-${{ matrix.php }}

.github/workflows/test-php.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        php: ['8.0', '8.1', '8.2', '8.3']
+        php: ['8.1', '8.2', '8.3']
     steps:
     - uses: actions/checkout@v1
 
@@ -32,7 +32,7 @@ jobs:
         echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
     - name: Cache composer packages
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ matrix.php }}

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2023, Dan Brown and the BookStack Project contributors.
+Copyright (c) 2015-2024, Dan Brown and the BookStack Project contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

app/Access/Controllers/MfaTotpController.php

@@ -19,20 +19,25 @@ class MfaTotpController extends Controller
 
     protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';
 
+    public function __construct(
+        protected TotpService $totp
+    ) {
+    }
+
     /**
      * Show a view that generates and displays a TOTP QR code.
      */
-    public function generate(TotpService $totp)
+    public function generate()
     {
         if (session()->has(static::SETUP_SECRET_SESSION_KEY)) {
             $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
         } else {
-            $totpSecret = $totp->generateSecret();
+            $totpSecret = $this->totp->generateSecret();
             session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
         }
 
-        $qrCodeUrl = $totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
-        $svg = $totp->generateQrCodeSvg($qrCodeUrl);
+        $qrCodeUrl = $this->totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
+        $svg = $this->totp->generateQrCodeSvg($qrCodeUrl);
 
         $this->setPageTitle(trans('auth.mfa_gen_totp_title'));
 
@@ -56,7 +61,7 @@ public function confirm(Request $request)
             'code' => [
                 'required',
                 'max:12', 'min:4',
-                new TotpValidationRule($totpSecret),
+                new TotpValidationRule($totpSecret, $this->totp),
             ],
         ]);
 
@@ -87,7 +92,7 @@ public function verify(Request $request, LoginService $loginService, MfaSession
             'code' => [
                 'required',
                 'max:12', 'min:4',
-                new TotpValidationRule($totpSecret),
+                new TotpValidationRule($totpSecret, $this->totp),
             ],
         ]);
 

app/Access/Controllers/RegisterController.php

@@ -15,24 +15,13 @@
 
 class RegisterController extends Controller
 {
-    protected SocialDriverManager $socialDriverManager;
-    protected RegistrationService $registrationService;
-    protected LoginService $loginService;
-
-    /**
-     * Create a new controller instance.
-     */
     public function __construct(
-        SocialDriverManager $socialDriverManager,
-        RegistrationService $registrationService,
-        LoginService $loginService
+        protected SocialDriverManager $socialDriverManager,
+        protected RegistrationService $registrationService,
+        protected LoginService $loginService
     ) {
         $this->middleware('guest');
         $this->middleware('guard:standard');
-
-        $this->socialDriverManager = $socialDriverManager;
-        $this->registrationService = $registrationService;
-        $this->loginService = $loginService;
     }
 
     /**
@@ -87,6 +76,8 @@ protected function validator(array $data): ValidatorContract
             'name'     => ['required', 'min:2', 'max:100'],
             'email'    => ['required', 'email', 'max:255', 'unique:users'],
             'password' => ['required', Password::default()],
+            // Basic honey for bots that must not be filled in
+            'username' => ['prohibited'],
         ]);
     }
 }

app/Access/LdapService.php

@@ -209,6 +209,12 @@ protected function getConnection()
             $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
         }
 
+        // Configure any user-provided CA cert files for LDAP.
+        // This option works globally and must be set before a connection is created.
+        if ($this->config['tls_ca_cert']) {
+            $this->configureTlsCaCerts($this->config['tls_ca_cert']);
+        }
+
         $ldapHost = $this->parseServerString($this->config['server']);
         $ldapConnection = $this->ldap->connect($ldapHost);
 
@@ -223,7 +229,14 @@ protected function getConnection()
 
         // Start and verify TLS if it's enabled
         if ($this->config['start_tls']) {
-            $started = $this->ldap->startTls($ldapConnection);
+            try {
+                $started = $this->ldap->startTls($ldapConnection);
+            } catch (\Exception $exception) {
+                $error = $exception->getMessage() . ' :: ' . ldap_error($ldapConnection);
+                ldap_get_option($ldapConnection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detail);
+                Log::info("LDAP STARTTLS failure: {$error} {$detail}");
+                throw new LdapException('Could not start TLS connection. Further details in the application log.');
+            }
             if (!$started) {
                 throw new LdapException('Could not start TLS connection');
             }
@@ -234,6 +247,33 @@ protected function getConnection()
         return $this->ldapConnection;
     }
 
+    /**
+     * Configure TLS CA certs globally for ldap use.
+     * This will detect if the given path is a directory or file, and set the relevant
+     * LDAP TLS options appropriately otherwise throw an exception if no file/folder found.
+     *
+     * Note: When using a folder, certificates are expected to be correctly named by hash
+     * which can be done via the c_rehash utility.
+     *
+     * @throws LdapException
+     */
+    protected function configureTlsCaCerts(string $caCertPath): void
+    {
+        $errMessage = "Provided path [{$caCertPath}] for LDAP TLS CA certs could not be resolved to an existing location";
+        $path = realpath($caCertPath);
+        if ($path === false) {
+            throw new LdapException($errMessage);
+        }
+
+        if (is_dir($path)) {
+            $this->ldap->setOption(null, LDAP_OPT_X_TLS_CACERTDIR, $path);
+        } else if (is_file($path)) {
+            $this->ldap->setOption(null, LDAP_OPT_X_TLS_CACERTFILE, $path);
+        } else {
+            throw new LdapException($errMessage);
+        }
+    }
+
     /**
      * Parse an LDAP server string and return the host suitable for a connection.
      * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'.
@@ -249,13 +289,18 @@ protected function parseServerString(string $serverString): string
 
     /**
      * Build a filter string by injecting common variables.
+     * Both "${var}" and "{var}" style placeholders are supported.
+     * Dollar based are old format but supported for compatibility.
      */
     protected function buildFilter(string $filterString, array $attrs): string
     {
         $newAttrs = [];
         foreach ($attrs as $key => $attrText) {
-            $newKey = '${' . $key . '}';
-            $newAttrs[$newKey] = $this->ldap->escape($attrText);
+            $escapedText = $this->ldap->escape($attrText);
+            $oldVarKey = '${' . $key . '}';
+            $newVarKey = '{' . $key . '}';
+            $newAttrs[$oldVarKey] = $escapedText;
+            $newAttrs[$newVarKey] = $escapedText;
         }
 
         return strtr($filterString, $newAttrs);

app/Access/Mfa/TotpValidationRule.php

@@ -2,36 +2,26 @@
 
 namespace BookStack\Access\Mfa;
 
-use Illuminate\Contracts\Validation\Rule;
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
 
-class TotpValidationRule implements Rule
+class TotpValidationRule implements ValidationRule
 {
-    protected $secret;
-    protected $totpService;
-
     /**
      * Create a new rule instance.
      * Takes the TOTP secret that must be system provided, not user provided.
      */
-    public function __construct(string $secret)
-    {
-        $this->secret = $secret;
-        $this->totpService = app()->make(TotpService::class);
+    public function __construct(
+        protected string $secret,
+        protected TotpService $totpService,
+    ) {
     }
 
-    /**
-     * Determine if the validation rule passes.
-     */
-    public function passes($attribute, $value)
-    {
-        return $this->totpService->verifyCode($value, $this->secret);
-    }
-
-    /**
-     * Get the validation error message.
-     */
-    public function message()
+    public function validate(string $attribute, mixed $value, Closure $fail): void
     {
-        return trans('validation.totp');
+        $passes = $this->totpService->verifyCode($value, $this->secret);
+        if (!$passes) {
+            $fail(trans('validation.totp'));
+        }
     }
 }