[GITFLOW]merging 'release-1.54.0' into 'master'

Author: jenkins

CONTRIBUTING.md

@@ -10,6 +10,8 @@
 
 Please read adhere to the following guidelines when submitting new issues. This allows us to process your request as quickly as possible. Make sure to always use the templates that are automatically provided when creating an issue.
 
+If you want to report a **security issue**, please follow our guideline for [*Responsible Disclosure*](SECURITY.md).
+
 **Important:** Whenever creating a new issue, **please search the repository for similar issues first** to avoid duplicates. You can do this manually or by using the search functionality in the header and limiting your results to the SORMAS repository.
 
 * [Bug Report](#bug-report)

README.md

@@ -7,7 +7,7 @@
     />
   </a>
   <br/>
-  <a href="https://github.com/hzi-braunschweig/SORMAS-Project/blob/development/LICENSE"><img alt="License" src="https://img.shields.io/badge/license-GPL%20v3-blue"/></a> <a href="https://github.com/hzi-braunschweig/SORMAS-Project/releases/latest"><img alt="Latest Release" src="https://img.shields.io/github/v/release/hzi-braunschweig/SORMAS-Project"/></a> <img alt="Development Build Status" src="https://github.com/hzi-braunschweig/SORMAS-Project/workflows/Java%20CI%20with%20Maven/badge.svg?branch=development"/> <a href="https://gitter.im/SORMAS-Project"><img alt="Gitter" src="https://badges.gitter.im/SORMAS-Project/dev-support.svg"/></a>
+  <a href="https://github.com/hzi-braunschweig/SORMAS-Project/blob/development/LICENSE"><img alt="License" src="https://img.shields.io/badge/license-GPL%20v3-blue"/></a> <a href="https://github.com/hzi-braunschweig/SORMAS-Project/releases/latest"><img alt="Latest Release" src="https://img.shields.io/github/v/release/hzi-braunschweig/SORMAS-Project"/></a> <img alt="Development Build Status" src="https://github.com/hzi-braunschweig/SORMAS-Project/workflows/Java%20CI%20with%20Maven/badge.svg?branch=development"/> <a href="https://gitter.im/SORMAS-Project"><img alt="Gitter" src="https://badges.gitter.im/SORMAS-Project/dev-support.svg"/></a> <a href="https://twitter.com/SORMASDev"><img alt="Twitter" src="https://img.shields.io/twitter/follow/SORMASDev?label=%40SORMASDev&style=social"/></a>
 </p>
 <br/>
 
@@ -17,10 +17,11 @@
 You can give SORMAS a try on our play server at https://sormas.helmholtz-hzi.de!
 
 #### How Can I Get Involved?
-Read through our [*Contributing Readme*](CONTRIBUTING.md) and contact us at [email protected] or join our [developer chat on Gitter](https://gitter.im/SORMAS-Project) to learn how you can help to drive the development of SORMAS forward and to get development support from our core developers. SORMAS is a community-driven project, and we'd love to have you on board! If you want to contribute to the code, please strictly adhere to the [*Development Environment*](DEVELOPMENT_ENVIRONMENT.md) guide to ensure that everything is set up correctly. Please also make sure that you've read the [*Development Contributing Guidelines*](CONTRIBUTING.md#development-contributing-guidelines) before you start to develop.
+Read through our [*Contributing Readme*](CONTRIBUTING.md) and contact us at [email protected] or join our [developer chat on Gitter](https://gitter.im/SORMAS-Project) to learn how you can help to drive the development of SORMAS forward and to get development support from our core developers. SORMAS is a community-driven project, and we'd love to have you on board! If you want to contribute to the code, please strictly adhere to the [*Development Environment*](DEVELOPMENT_ENVIRONMENT.md) guide to ensure that everything is set up correctly. Please also make sure that you've read the [*Development Contributing Guidelines*](CONTRIBUTING.md#development-contributing-guidelines) before you start to develop, and either follow or regularly check our Twitter account <a href="https://twitter.com/SORMASDev" target="_blank">@SORMASDev</a> to stay up to date with our schedule, new releases, guideline changes and other announcements.
 
 #### How Can I Report a Bug or Request a Feature?
-Please [create a new issue](https://github.com/hzi-braunschweig/SORMAS-Project/issues/new/choose) and read the [*Submitting an Issue*](CONTRIBUTING.md#submitting-an-issue) guide for more detailed instructions. We appreciate your help!
+If you want to report a **security issue**, please follow our guideline for [*Responsible Disclosure*](SECURITY.md).  
+For bugs without security implications, change and feature requests, please [create a new issue](https://github.com/hzi-braunschweig/SORMAS-Project/issues/new/choose) and read the [*Submitting an Issue*](CONTRIBUTING.md#submitting-an-issue) guide for more detailed instructions. We appreciate your help!
 
 #### Which Browsers and Android Versions Are Supported?
 SORMAS officially supports and is tested on **Chromium-based browsers** (like Google Chrome) and **Mozilla Firefox**, and all Android versions starting from **Android 7.0** (Nougat). In principle, SORMAS should be usable with all web browsers that are supported by Vaadin 8 (Chrome, Firefox, Safari, Edge, Internet Explorer 11; see https://vaadin.com/faq).

SECURITY.md

@@ -0,0 +1,44 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the SORMAS
+project.
+
+  * [Reporting a Security Bug](#reporting-a-security-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+  
+If you want to report a bug which is not security sensible, please [submit an issue](https://github.com/hzi-braunschweig/SORMAS-Project/blob/development/CONTRIBUTING.md#submitting-an-issue). 
+
+## Reporting a Security Bug
+
+Our team and community take all security bugs in SORMAS seriously.
+Thank you for improving the security of SORMAS. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.  
+Unfortunately, SORMAS does not offer a paid bug bounty programme or other forms of compensation.
+
+Report security bugs by emailing at **[email protected]**.
+
+We will acknowledge your email and follow up with a response within 10 business days, or explain why a reply may take longer. The response will indicate the next steps in handling your report.  
+After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.
+

SERVER_CUSTOMIZATION.md

@@ -30,11 +30,18 @@ The following properties are currently configurable:
 * **Archiving thresholds** `daysAfterCaseGetsArchived` and `daysAfterEventGetsArchived`: The number of days without any changes after which cases/events are automatically archived (i.e. they will no longer be displayed in the normal directories, but still count towards statistics or counts on the dashboard and can still be viewed by users with the respective user right). If set to 0, automatic archiving is disabled.
 * **Rscript executable** `rscript.executable`: The location of the Rscript executable. If you've installed Rscript on your server and specify the path here (the default should work for Linux systems as long as you've used the default install path), network diagrams for transmission chains will be shown in the web app.
 * **Symptom journal interface**: Properties used to connect to an external symptom journal service. `interface.symptomjournal.url` is the URL to the website that SORMAS should connect to; `interface.symptomjournal.authurl` is the URL used to authenticate SORMAS at the external service; `interface.symptomjournal.clientid` and `interface.symptomjournal.secret` are the credentials used for the authentication process. A default user can be created automatically at startup by using `interface.symptomjournal.defaultuser.username` and `interface.symptomjournal.defaultuser.password`. This user can be used by the Symptom Journal system to connect to SORMAS.
-* **Patient diary interface** Properties used to connect to an external patient diary service. `interface.patientdiary.url` is the URL to the website that SORMAS should connect to; `interface.patientdiary.externaldataurl` is the URL to the website that SORMAS can send notifications; `interface.patientdiary.authurl` is the URL trough which SORMAS can obtain an authorization to the external patient diary; `interface.patientdiary.email` and `interface.patientdiary.password` are the credentials used by SORMAS to authenticate in the external patient diary; A default user can be created automatically at startup by using `interface.patientdiary.defaultuser.username` and `interface.patientdiary.defaultuser.password`. This user can be used by the Patient Diary system to connect to SORMAS.
+* **Patient diary interface** Properties used to connect to an external patient diary service. `interface.patientdiary.url` is the URL to the website that SORMAS should connect to; `interface.patientdiary.probandsurl` is the URL to the website that SORMAS can send notifications; `interface.patientdiary.authurl` is the URL trough which SORMAS can obtain an authorization to the external patient diary; `interface.patientdiary.email` and `interface.patientdiary.password` are the credentials used by SORMAS to authenticate in the external patient diary; A default user can be created automatically at startup by using `interface.patientdiary.defaultuser.username` and `interface.patientdiary.defaultuser.password`. This user can be used by the Patient Diary system to connect to SORMAS.
 * **Custom branding**: Properties used to apply a custom branding to SORMAS that overrides its name and default logo. Using these properties also alters the sidebar and adds another customizable area to it. If you want to use this feature, set `custombranding` to true. `custombranding.name` is the name that you want to use, `custombranding.logo.path` is the path to the logo that should be used.
 * **Geocoding** Properties used to integrate an external geocoding service for obtaining the geo coordinates of addresses.
-*geocodingServiceUrlTemplate* is the url for searching for address details, *${street}*, *${houseNumber}*, *${postalCode}*, and *${city}* placeholders will be replaced with the actual address fields when searching;
-*geocodingLongitudeJsonPath* and *geocodingLatitudeJsonPath* are used to obtain the longitude and latitude of the address in the result of the geocoding service request
+  * `geocodingServiceUrlTemplate` is the url for searching for address details, `${street}`, `${houseNumber}`, `${postalCode}`, and `${city}` placeholders will be replaced with the actual address fields when searching;
+  * `geocodingLongitudeJsonPath` and `geocodingLatitudeJsonPath` are used to obtain the longitude and latitude of the address in the result of the geocoding service request
+* **Authentication Provider**: Allows the user to choose the way of authentication for SORMAS and all it's third party clients. Supported values `SORMAS` (default) and `KEYCLOAK`
+
+### Custom login page
+When setting up the server a custom file directory is created (most likely `/opt/sormas/custom`). You can adjust the `login*.html` files in that directory to customize the login page.
+
+### Custom download files in about section
+You can create a sub-folder `aboutfiles` in the custom directory mentioned above (e.g. `/opt/sormas/custom/aboutfiles`). Any file in that directory will be made available in the about section of the frontend.
 
 ## Importing Infrastructure Data
 When you start a SORMAS server for the first time, some default infrastructure data is generated to ensure that the server is usable and the default users can be created. It is recommended (and, unless you're working on a demo server, necessary) to archive this default data and import the official infrastructure data of the country or part of the country that you intend to use SORMAS in instead.

SERVER_SETUP.md

@@ -75,9 +75,9 @@
 
 ## Keycloak Server
 
-By default Keycloak is run as a Docker container, which can be set up in two ways:
-* As a Docker container
-* As a Standalone installation
+Keycloak can be set up in two ways:
+* as a Docker container (for just using Keycloak approach)
+* as a Standalone installation (for doing development in Keycloak like themes, SPIs)
 
 ### Keycloak as a Docker container
 *To be done only in the situation when SORMAS is already installed on the machine as a standalone installation.*
@@ -88,7 +88,7 @@ By default Keycloak is run as a Docker container, which can be set up in two way
 * SORMAS Server is installed
 * PostgreSQL is installed
 * Docker is installed
-* Open and edit [keycloak-setup.sh](sormas-base/setup/keycloak/keycloak-setup.sh) with your system's actual values
+* Open and edit [keycloak-setup.sh](sormas-base/setup/keycloak/keycloak-setup.sh) with your system's actual values *(on Windows use Git Bash)*.
 
 **Setup**
 * Run [keycloak-setup.sh](sormas-base/setup/keycloak/keycloak-setup.sh)
@@ -105,8 +105,10 @@ By default Keycloak is run as a Docker container, which can be set up in two way
 
 Setting Keycloak up as a standalone installation [Server Installation and Configuration Guide](https://www.keycloak.org/docs/11.0/server_installation/#installation)
 * Make sure to configure Keycloak with PostgreSQL Database [Relational Database Setup](https://www.keycloak.org/docs/11.0/server_installation/#_database)
-* Setup an Admin User
+* Set up an Admin User
 * Copy the `themes` folder content to `${KEYCLOAK_HOME}/themes` [Deploying Themes](https://www.keycloak.org/docs/11.0/server_development/#deploying-themes)
+* Deploy the `sormas-keycloak-service-provider` [Using Keycloak Deployer](https://www.keycloak.org/docs/11.0/server_development/#using-the-keycloak-deployer)
+* Update the [SORMAS.json](sormas-base/setup/keycloak/SORMAS.json) file by replacing the following placeholders: `${SORMAS_SERVER_URL}`, `${KEYCLOAK_SORMAS_UI_SECRET}`, `${KEYCLOAK_SORMAS_BACKEND_SECRET}`, `${KEYCLOAK_SORMAS_REST_SECRET}`
 * Create the SORMAS Realm by importing [SORMAS.json](sormas-base/setup/keycloak/SORMAS.json) see [Create a New Realm](https://www.keycloak.org/docs/11.0/server_admin/#_create-realm)
 * Update the `sormas-*` clients by generating new secrets for them
 * Update the realm's email settings to allow sending emails to users
@@ -124,11 +126,24 @@ where:
 * `${ASADMIN}` - represents the location to `${PAYARA_HOME}\bin\asadmin`
 * `${KEYCLOAK_PORT}` - the port on which keycloak will run
 * `${KEYCLOAK_SORMAS_UI_SECRET}` - is the secret generated in Keycloak for the `sormas-ui` client
-* `${KEYCLOAK_SORMAS_REST_SECRET}` - is the secret generated in Keycloack for the `sormas-rest` client
-* `${KEYCLOAK_SORMAS_BACKEND_SECRET}` - is the secret generated in Keycloack for the `sormas-backend` client
+* `${KEYCLOAK_SORMAS_REST_SECRET}` - is the secret generated in Keycloak for the `sormas-rest` client
+* `${KEYCLOAK_SORMAS_BACKEND_SECRET}` - is the secret generated in Keycloak for the `sormas-backend` client
 
 Then update `sormas.properties` file in the SORMAS domain with the property `authentication.provider=KEYCLOAK`
 
+### Connect Keycloak to an already running instance of SORMAS
+
+*after setting up Keycloak as one of the described options above*
+
+In case Keycloak is set up alongside an already running instance of SORMAS, these are the steps to follow to make sure already existing users can access the system:
+1. Manually create an admin user in Keycloak for the SORMAS realm [Creating a user](https://www.keycloak.org/docs/11.0/getting_started/index.html#creating-a-user) *(username has to be the same as admin's username in SORMAS)*
+2. Login to SORMAS and trigger the **Sync Users** button from the **Users** page
+3. This will sync users to Keycloak keeping their original password - see [SORMAS Keycloak Service Provider](sormas-keycloak-service-provider/README.md) for more information about this
+
+### Keycloak configuration
+
+More about the default configuration and how to customize can be found here [Keycloak](sormas-base/doc/keycloak.md)
+
 ## Web Server Setup
 
 ### Apache Web Server

SERVER_UPDATE.md

@@ -48,4 +48,29 @@ These are the default users for most user roles, intended to be used on developm
 ### Mobile app users
 **Surveillance Officer:** SurvOff  
 **Hospital Informant:** HospInf  
-**Point of Entry Informant:** PoeInf  
+**Point of Entry Informant:** PoeInf
+
+# Updating Keycloak
+
+## Standalone installation
+
+Upgrading from Keycloak 11 to 12 following the steps from here https://www.keycloak.org/docs/latest/upgrading/#_upgrading
+
+1. Stop the old server and make sure to remove any open connections to the DB
+2. Backup the DB *(once the upgrade is done the old version cannot be used with the new DB version)*
+3. Backup the old installation
+4. Remove `${OLD_KEYCLOAK_HOME}/standalone/data/tx-object-store/`
+5. Download the new Keycloak installation from https://www.keycloak.org/downloads
+6. Copy the `${NEW_KEYCLOAK_HOME}/standalone/` directory from the previous installation over the directory in the new installation
+7. Copy the postgres module from `${OLD_KEYCLOAK_HOME}/modules/system/layers/keycloak/org/` over to the new installation directory
+8. Copy the SORMAS themes from `{OLD_KEYCLOAK_HOME}/themes/` over to the new installation directory
+9. While the new installation is stopped, run `${NEW_KEYCLOAK_HOME}/bin/jboss-cli.sh ----file=${NEW_KEYCLOAK_HOME}/bin/migrate-standalone.cli` *(`.bat` for Windows)*
+10. Start the new Keycloak installation from `${NEW_KEYCLOAK_HOME}/bin/standalone.sh` *(`.bat` for Windows)*
+
+## Docker installation
+
+The docker installation is automatically upgraded to the latest version specified in the Dockerfile.
+
+**Prerequisites:** Make sure the DB is backed up, because once the upgrade is done the new DB won't be usable with the old version of Keycloak.
+
+For more info see the [Keycloak Docker Documentation](https://github.com/hzi-braunschweig/SORMAS-Docker/blob/development/keycloak/README.md).

sormas-api/pom.xml

@@ -2,7 +2,7 @@
 	<parent>
 		<groupId>de.symeda.sormas</groupId>
 		<artifactId>sormas-base</artifactId>
-		<version>1.53.0</version>
+		<version>1.54.0</version>
 		<relativePath>../sormas-base</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

sormas-api/src/main/java/de/symeda/sormas/api/AuthProvider.java

@@ -41,10 +41,13 @@ public class AuthProvider {
 
     private final boolean isDefaultProvider;
 
+    private final boolean isUserSyncSupported;
+
     private AuthProvider() {
         String configuredProvider = FacadeProvider.getConfigFacade().getAuthenticationProvider();
         isUsernameCaseSensitive = SORMAS.equalsIgnoreCase(configuredProvider);
         isDefaultProvider = SORMAS.equalsIgnoreCase(configuredProvider);
+        isUserSyncSupported = KEYCLOAK.equalsIgnoreCase(configuredProvider);
     }
 
     public static AuthProvider getProvider() {
@@ -71,4 +74,12 @@ public boolean isUsernameCaseSensitive() {
     public boolean isDefaultProvider() {
         return isDefaultProvider;
     }
+
+    /**
+     * Authentication Provider enables users to be synced from the default provider.
+     */
+    public boolean isUserSyncSupported() {
+        return isUserSyncSupported;
+    }
+
 }

sormas-api/src/main/java/de/symeda/sormas/api/ConfigFacade.java

@@ -85,6 +85,8 @@ public interface ConfigFacade {
 
 	int getDaysAfterEventGetsArchived();
 
+	int getDaysAfterSystemEventGetsDeleted();
+
 	GeoLatLon getCountryCenter();
 
 	int getMapZoom();
@@ -115,4 +117,5 @@ public interface ConfigFacade {
 
 	boolean isSmsServiceSetUp();
 
+	String getDemisJndiName();
 }