Merge remote-tracking branch 'origin/v11' into backlog/extend-visualization-creation-flow-to-include-SQL

# Conflicts:
#	backend/src/main/resources/config/liquibase/master.xml

Author: elmilan06

CHANGELOG.md

@@ -1,8 +1,8 @@
-# UTMStack 11.1.4 – Release Notes
+# UTMStack 11.1.5 – Release Notes
 
-The **UTMStack v11.1.4** update delivers important fixes and usability improvements to enhance stability and user experience.
+The **UTMStack v11.1.5** update delivers important fixes and usability improvements to enhance stability and user experience.
 
 ## Improvements & Fixes
-- Refined the styling of download links to improve clarity and accessibility.
-- Resolved a syntax error in the UTMStack installation command, ensuring smoother setup.
-- Corrected the display of pipeline card statuses and improved accuracy of event processing counts.
+- Standardized `utm_visualization` field names by replacing legacy O365 keys with new conventions.
+- Enhanced responsive behavior for TFA enrollment components based on viewport height.
+

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -166,6 +166,9 @@ public final class Constants {
     // Application version file
     public static final String APP_VERSION_FILE = "/updates/version.json";
 
+    public static final String ADMIN_EMAIL = "admin@localhost";
+
+
     private Constants() {
     }
 }

backend/src/main/java/com/park/utmstack/security/jwt/TokenProvider.java

@@ -121,13 +121,10 @@ public boolean validateToken(String authToken) {
     }
 
     public boolean shouldBypassTfa(HttpServletRequest request) {
-        boolean bypassSwagger = Boolean.parseBoolean(request.getHeader(Constants.TFA_EXEMPTION_HEADER));
-
         boolean forceTfaAuth = Boolean.parseBoolean(
                 Optional.ofNullable(System.getenv(Constants.ENV_TFA_ENABLE)).orElse("true")
         );
-
-        return bypassSwagger || !forceTfaAuth;
+        return !forceTfaAuth;
     }
 
 }

backend/src/main/java/com/park/utmstack/security/saml/Saml2LoginSuccessHandler.java

@@ -1,5 +1,6 @@
 package com.park.utmstack.security.saml;
 
+import com.park.utmstack.domain.User;
 import com.park.utmstack.repository.UserRepository;
 import com.park.utmstack.security.jwt.TokenProvider;
 import lombok.RequiredArgsConstructor;
@@ -21,6 +22,7 @@
 import java.net.URI;
 import java.util.Collection;
 import java.util.Objects;
+import java.util.Optional;
 
 import static com.park.utmstack.config.Constants.FRONT_BASE_URL;
 
@@ -50,33 +52,25 @@ public void onAuthenticationSuccess(HttpServletRequest request,
         String frontBaseUrl = scheme + "://" + host;
 
         Saml2AuthenticatedPrincipal samlUser = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
-        var roles = samlUser.getAttribute("roles");
-
         String username = samlUser.getName();
 
-        if (roles == null || ((Collection<?>) roles).isEmpty() || userRepository.findOneByLogin(username).isEmpty()) {
-            log.error("{}: Attempted SAML2 login with invalid roles or non-existing user account.", username);
-            failureHandler.onAuthenticationFailure(request, response,
-                    new BadCredentialsException("The provided credentials do not match any active user account or the account lacks required roles."));
-            return;
-        }
+        User user = userRepository.findOneByLogin(username)
+                .orElseThrow(() -> new BadCredentialsException("The provided credentials do not match any active user account."));
 
-        Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(samlUser.getAttribute("roles"))
+        Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(user.getAuthorities())
                 .stream()
                 .map(Objects::toString)
                 .filter(r -> r.startsWith("ROLE_"))
                 .map(SimpleGrantedAuthority::new)
                 .toList();
 
         UsernamePasswordAuthenticationToken auth =
-                new UsernamePasswordAuthenticationToken(username, null, authorities);
+                new UsernamePasswordAuthenticationToken((Object) username, null, authorities);
 
         SecurityContextHolder.getContext().setAuthentication(auth);
 
-        // Generate JWT
         String token = tokenProvider.createToken(auth, false, true);
 
-        // Redirect to frontend with token
         URI redirectUri = UriComponentsBuilder.fromUriString(frontBaseUrl)
                 .path("/")
                 .queryParam("token", token)

backend/src/main/java/com/park/utmstack/service/dto/jwt/LoginResponseDTO.java

@@ -14,5 +14,6 @@ public class LoginResponseDTO {
     private String method;
     private String token;
     private long tfaExpiresInSeconds;
+    boolean firstLogin;
 }
 

backend/src/main/java/com/park/utmstack/service/threat_management/AdversaryAlertsService.java

@@ -27,6 +27,11 @@ public class AdversaryAlertsService {
     private final ElasticsearchService elasticsearchService;
 
     public List<AdversaryAlertsResponseDto> fetchAdversaryAlerts(List<FilterType> filters){
+
+        if(!elasticsearchService.indexExist(V11_ALERTS_INDEX_PATTERN)) {
+            return Collections.emptyList();
+        }
+
         SearchRequest request = SearchRequest.of(s -> s
                 .index(V11_ALERTS_INDEX_PATTERN)
                 .query(SearchUtil.toQuery(filters))

backend/src/main/java/com/park/utmstack/web/rest/UserJWTController.java

@@ -42,6 +42,8 @@
 import javax.validation.Valid;
 import java.util.Map;
 
+import static com.park.utmstack.config.Constants.ADMIN_EMAIL;
+
 /**
  * Controller to authenticate users.
  */
@@ -94,7 +96,7 @@ public ResponseEntity<LoginResponseDTO> authorize(@Valid @RequestBody LoginVM lo
 
         boolean isTfaSetup = isTfaEnabled && user.getTfaMethod() != null && !user.getTfaMethod().isEmpty() && !isAuth;
         Map<String, Object> args = logContextBuilder.buildArgs(request);
-        Long tfaExpiresInSeconds = 0L;
+        long tfaExpiresInSeconds = 0L;
 
         if (isTfaSetup) {
             tfaExpiresInSeconds = tfaService.generateChallenge(user);
@@ -120,6 +122,7 @@ public ResponseEntity<LoginResponseDTO> authorize(@Valid @RequestBody LoginVM lo
                 .tfaConfigured(isTfaSetup)
                 .forceTfa(!isAuth)
                 .tfaExpiresInSeconds(tfaExpiresInSeconds)
+                .firstLogin(user.getEmail().equals(ADMIN_EMAIL))
                 .build();
 
         return ResponseEntity.ok(response);

backend/src/main/java/com/park/utmstack/web/rest/threat_management/AdversaryAlertsResource.java

@@ -24,6 +24,7 @@ public class AdversaryAlertsResource {
 
     @PostMapping("/alerts")
     public ResponseEntity<List<AdversaryAlertsResponseDto>> search(@RequestBody(required = false) List<FilterType> filters) {
+
             List<AdversaryAlertsResponseDto> responseDto = adversaryAlertsService.fetchAdversaryAlerts(filters);
 
             if (responseDto.isEmpty())

backend/src/main/resources/config/liquibase/changelog/20251218001_rename_o365_fields.xml

@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20251218001" author="Manuel Abascal">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE utm_visualization
+            SET
+                filters = REPLACE(
+                        REPLACE(
+                                REPLACE(
+                                        REPLACE(
+                                                REPLACE(filters, 'log.o365.Operation.keyword', 'action.keyword'),
+                                                'log.o365.ClientIP.keyword', 'log.clientIP.keyword'
+                                        ),
+                                        'log.o365.UserId.keyword', 'origin.user.keyword'
+                                ),
+                                'log.o365.ResultStatus.keyword', 'actionResult.keyword'
+                        ),
+                        'log.o365.LogonError.keyword', 'log.logonError.keyword'
+                          )
+            WHERE filters IS NOT NULL;
+
+                UPDATE utm_visualization
+                SET
+                    aggregation = REPLACE(
+                            REPLACE(
+                                    REPLACE(
+                                            REPLACE(
+                                                    REPLACE(aggregation, 'log.o365.Operation.keyword', 'action.keyword'),
+                                                    'log.o365.ClientIP.keyword', 'log.clientIP.keyword'
+                                            ),
+                                            'log.o365.UserId.keyword', 'origin.user.keyword'
+                                    ),
+                                    'log.o365.ResultStatus.keyword', 'actionResult.keyword'
+                            ),
+                            'log.o365.LogonError.keyword', 'log.logonError.keyword'
+                                  )
+                WHERE aggregation IS NOT NULL;
+
+
+
+                UPDATE utm_visualization
+                SET
+                    filters = REPLACE(
+                            REPLACE(
+                                    REPLACE(
+                                            REPLACE(
+                                                    REPLACE(
+                                                            REPLACE(filters, 'log.o365.Workload.keyword', 'log.Workload.keyword'),
+                                                            'log.o365.Workload', 'log.Workload'
+                                                    ),
+                                                    'log.o365.Verdict.keyword', 'emailVerdict.keyword'
+                                            ),
+                                            'log.o365.SenderIp.keyword', 'origin.ip.keyword'
+                                    ),
+                                    'log.o365.Recipients.keyword', 'log.Recipients.keyword'
+                            ),
+                            'log.o365.Subject.keyword', 'log.Subject.keyword'
+                              )
+                WHERE filters IS NOT NULL;
+
+                UPDATE utm_visualization
+                SET
+                    aggregation = REPLACE(
+                            REPLACE(
+                                    REPLACE(
+                                            REPLACE(
+                                                    REPLACE(
+                                                            REPLACE(aggregation, 'log.o365.Workload.keyword', 'log.Workload.keyword'),
+                                                            'log.o365.Workload', 'log.Workload'
+                                                    ),
+                                                    'log.o365.Verdict.keyword', 'emailVerdict.keyword'
+                                            ),
+                                            'log.o365.SenderIp.keyword', 'origin.ip.keyword'
+                                    ),
+                                    'log.o365.Recipients.keyword', 'log.Recipients.keyword'
+                            ),
+                            'log.o365.Subject.keyword', 'log.Subject.keyword'
+                                  )
+                WHERE aggregation IS NOT NULL;
+
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>

backend/src/main/resources/config/liquibase/changelog/20251218002_rename_filter_fields_dashboard.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20251218002" author="Manuel Abascal">
+
+        <sql dbms="postgresql" splitStatements="true" stripComments="true">
+            <![CDATA[
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-o365-', '"indexPattern":"v11-log-o365-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"alert-', '"indexPattern":"v11-alert-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-firewall-meraki-', '"indexPattern":"v11-log-firewall-meraki-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-wineventlog-', '"indexPattern":"v11-log-wineventlog-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-linux-', '"indexPattern":"v11-log-linux-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-cisco-switch-', '"indexPattern":"v11-log-cisco-switch-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-firewall-cisco-asa-', '"indexPattern":"v11-log-firewall-cisco-asa-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"indexPattern":"log-aws-', '"indexPattern":"v11-log-aws-');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"ogx.wineventlog.event_data.SubjectUserName.keyword"', '"field":"log.winlogEventDataSubjectUserName"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.tenant.keyword"', '"field":"tenantId.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.o365.UserId.keyword"', '"field":"origin.user.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.linux.host.name.keyword"', '"field":"origin.host.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"logx.wineventlog.event_data.TargetUserName.keyword"', '"field":"target.user.keyword"');
+
+            UPDATE utm_dashboard
+            SET filters = REPLACE(filters, '"field":"log.winlogEventDataSubjectUserName"', '"field":"log.winlogEventDataSubjectUserName.keyword"');
+
+            ]]>
+        </sql>
+    </changeSet>
+</databaseChangeLog>