Merge branch 'develop' into feature/recover

Author: mindmonk

.github/workflows/build.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
@@ -36,7 +36,7 @@ jobs:
         working-directory: frontend
         run: npm run dist
       - name: SonarCloud Scan Frontend
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
         with:
           projectBaseDir: frontend
           args: >
@@ -49,13 +49,13 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: 'temurin'
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -96,7 +96,7 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'

.github/workflows/keycloak.yml

@@ -25,7 +25,7 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'

CHANGELOG.md

@@ -9,11 +9,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Show pictures of the groups in the Vaults member list.
+- Show pictures of the groups in the Vaults member list. (#375)
 
 ### Changed
 
 - Updated Keycloak to 26.4.7
+- Update Quarkus to 3.20.4 LTS
+- Improved efficiency of keycloak-to-hub data sync (#377)
+- Improved efficiency of group-based access permission checks (#372)
+- Migrated aes-siv and base encoding libraries to [`@noble/ciphers`](https://github.com/paulmillr/noble-ciphers) and [`@scure/base`](https://github.com/paulmillr/scure-base/) (#373)
+
+### Security
+
+- CVE-2025-64756, CVE-2025-64118: removed `glob` and `tar` dependencies
+- CVE-2025-64718, CVE-2025-62522: updated `js-yaml` and `vite`
 
 ## [1.4.6](https://github.com/cryptomator/hub/compare/1.4.5...1.4.6)
 

backend/pom.xml

@@ -10,13 +10,13 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.jdk.version>21</project.jdk.version>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <quarkus.platform.version>3.20.3</quarkus.platform.version>
+    <quarkus.platform.version>3.20.4</quarkus.platform.version>
     <jwt.version>4.5.0</jwt.version>
     <compiler-plugin.version>3.14.1</compiler-plugin.version>
-    <dependency-plugin.version>3.8.1</dependency-plugin.version>
+    <dependency-plugin.version>3.9.0</dependency-plugin.version>
     <surefire-plugin.version>3.5.4</surefire-plugin.version>
     <failsafe-plugin.version>3.5.4</failsafe-plugin.version>
-    <junit-tree-reporter.version>1.4.0</junit-tree-reporter.version>
+    <junit-tree-reporter.version>1.5.1</junit-tree-reporter.version>
   </properties>
 
   <dependencyManagement>

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -610,7 +610,7 @@ public Response claimOwnership(@PathParam("vaultId") UUID vaultId, @FormParam("p
 	}
 
 	@JsonInclude(JsonInclude.Include.NON_NULL)
-	public record VaultDto(@JsonProperty("id") UUID id,
+	public record VaultDto(@JsonProperty("id") @NotNull UUID id,
 						   @JsonProperty("name") @NoHtmlOrScriptChars @NotBlank String name,
 						   @JsonProperty("creationTime") Instant creationTime, @JsonProperty("description") @NoHtmlOrScriptChars String description,
 						   @JsonProperty("archived") boolean archived,

backend/src/main/java/org/cryptomator/hub/entities/Group.java

@@ -32,10 +32,6 @@ public Set<Authority> getMembers() {
 		return members;
 	}
 
-	public void setMembers(Set<Authority> members) {
-		this.members = members;
-	}
-
 	@Transient
 	public int getMemberSize() {
 		return members.size();

backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java

@@ -9,6 +9,7 @@
 import org.cryptomator.hub.entities.Group;
 import org.cryptomator.hub.entities.User;
 
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -36,18 +37,27 @@ void sync() {
 
 	@Transactional
 	void sync(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, KeycloakUserDto> keycloakUsers) {
+		// get current state from database:
 		var databaseUsers = userRepo.findAll().stream().collect(Collectors.toMap(User::getId, Function.identity()));
 		var databaseGroups = groupRepo.findAll().stream().collect(Collectors.toMap(Group::getId, Function.identity()));
-		syncAddedUsers(keycloakUsers, databaseUsers);
+
+		// sync users:
+		var addedUsers = syncAddedUsers(keycloakUsers, databaseUsers);
 		var deletedUserIds = syncDeletedUsers(keycloakUsers, databaseUsers);
 		syncUpdatedUsers(keycloakUsers, databaseUsers, deletedUserIds);
-		syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
+
+		// all users after additions and deletions:
+		Map<String, Authority> allAuthorities = merge(databaseUsers, addedUsers);
+		deletedUserIds.forEach(allAuthorities::remove);
+
+		// sync groups:
+		var addedGroups = syncAddedGroups(keycloakGroups, databaseGroups, allAuthorities);
 		var deletedGroupIds = syncDeletedGroups(keycloakGroups, databaseGroups);
-		syncUpdatedGroups(keycloakGroups, databaseGroups, deletedGroupIds, databaseUsers);
+		syncUpdatedGroups(keycloakGroups, databaseGroups, deletedGroupIds, allAuthorities);
 	}
 
 	//visible for testing
-	void syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
+	Map<String, User> syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
 		var addedIds = diff(keycloakUsers.keySet(), databaseUsers.keySet());
 		var added = addedIds.stream().map(id -> {
 			var keycloakUser = keycloakUsers.get(id);
@@ -57,9 +67,10 @@ void syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User
 			databaseUser.setEmail(keycloakUser.email());
 			databaseUser.setPictureUrl(keycloakUser.pictureUrl());
 			return databaseUser;
-		});
-		userRepo.persist(added);
+		}).collect(Collectors.toMap(User::getId, Function.identity()));
+		userRepo.persist(added.values());
 		effectiveGroupMembershipRepo.updateUsers(addedIds);
+		return added;
 	}
 
 	//visible for testing
@@ -83,30 +94,20 @@ void syncUpdatedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, Us
 	}
 
 	//visible for testing
-	void syncAddedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Map<String, User> databaseUsers) {
+	Map<String, Group> syncAddedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Map<String, Authority> allAuthorities) {
 		var addedIds = diff(keycloakGroups.keySet(), databaseGroups.keySet());
 		var added = addedIds.stream().map(id -> {
 			var keycloakGroup = keycloakGroups.get(id);
 			var databaseGroup = new Group();
 			databaseGroup.setId(keycloakGroup.id());
 			databaseGroup.setName(keycloakGroup.name());
 			databaseGroup.setPictureUrl(keycloakGroup.pictureUrl());
-			Set<Authority> members = new HashSet<>();
-			for (var keycloakMember : keycloakGroup.members()) {
-				var databaseUser = databaseUsers.get(keycloakMember.id());
-				if (databaseUser == null) {
-					// User might have been just added, fetch from database
-					databaseUser = userRepo.findById(keycloakMember.id());
-				}
-				if (databaseUser != null) {
-					members.add(databaseUser);
-				}
-			}
-			databaseGroup.setMembers(members);
+			databaseGroup.getMembers().addAll(keycloakGroup.members().stream().map(KeycloakUserDto::id).map(allAuthorities::get).collect(Collectors.toSet()));
 			return databaseGroup;
-		});
-		groupRepo.persist(added);
+		}).collect(Collectors.toMap(Group::getId, Function.identity()));
+		groupRepo.persist(added.values());
 		effectiveGroupMembershipRepo.updateGroups(addedIds);
+		return added;
 	}
 
 	//visible for testing
@@ -118,39 +119,39 @@ Set<String> syncDeletedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<
 	}
 
 	//visible for testing
-	void syncUpdatedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Set<String> deletedGroupIds, Map<String, User> databaseUsers) {
+	void syncUpdatedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Set<String> deletedGroupIds, Map<String, Authority> allAuthorities) {
 		var toUpdateIds = diff(databaseGroups.keySet(), deletedGroupIds);
 		var idsOfGroupsWithChangedMembers = new HashSet<String>();
 		for (var id : toUpdateIds) {
 			var databaseGroup = databaseGroups.get(id);
 			var keycloakGroup = keycloakGroups.get(id);
-			var wantIds = keycloakGroup.members().stream().map(KeycloakUserDto::id).collect(Collectors.toSet());
-			var haveIds = databaseGroup.getMembers().stream().map(Authority::getId).collect(Collectors.toSet());
 			databaseGroup.setName(keycloakGroup.name());
 			databaseGroup.setPictureUrl(keycloakGroup.pictureUrl());
-			for (var addId : diff(wantIds, haveIds)) {
-				var databaseUser = databaseUsers.get(addId);
-				if (databaseUser == null) {
-					// User might have been just added, fetch from database
-					databaseUser = userRepo.findById(addId);
-				}
-				if (databaseUser != null) {
-					databaseGroup.getMembers().add(databaseUser);
-				}
-			}
-			for (var removeId : diff(haveIds, wantIds)) {
-				databaseGroup.getMembers().removeIf(u -> u.getId().equals(removeId));
-			}
-			if (!wantIds.containsAll(haveIds) || !haveIds.containsAll(wantIds)) {
+
+			// update members:
+			var kcMemberIds = keycloakGroup.members().stream().map(KeycloakUserDto::id).collect(Collectors.toSet());
+			var dbMemberIds = databaseGroup.getMembers().stream().map(Authority::getId).collect(Collectors.toSet());
+			var addedMemberIds = diff(kcMemberIds, dbMemberIds);
+			var addedMembers = addedMemberIds.stream().map(allAuthorities::get).collect(Collectors.toSet());
+			databaseGroup.getMembers().addAll(addedMembers);
+			var removedMemberIds = diff(dbMemberIds, kcMemberIds);
+			databaseGroup.getMembers().removeIf(u -> removedMemberIds.contains(u.getId()));
+			if (!addedMemberIds.isEmpty() || !removedMemberIds.isEmpty()) {
 				idsOfGroupsWithChangedMembers.add(id);
 			}
 		}
 		effectiveGroupMembershipRepo.updateGroups(idsOfGroupsWithChangedMembers);
 	}
 
-	private <T> Set<T> diff(Set<T> base, Set<T> difference) {
+	private static <T> Set<T> diff(Set<T> base, Set<T> difference) {
 		var result = new HashSet<>(base);
 		result.removeAll(difference);
 		return result;
 	}
+
+	private static <K, V> Map<K, V> merge(Map<K, ? extends V> first, Map<K, ? extends V> second) {
+		Map<K, V> result = new HashMap<>(first);
+		result.putAll(second);
+		return result;
+	}
 }

backend/src/test/java/org/cryptomator/hub/RollbackTestIT.java

@@ -29,7 +29,7 @@ class WithFlywayCleanup {
 		@Test
 		@Order(1)
 		@DBRollbackAfter
-		public void changeDB() throws SQLException {
+		void changeDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						UPDATE "settings"
@@ -41,7 +41,7 @@ public void changeDB() throws SQLException {
 
 		@Test
 		@Order(2)
-		public void testDB() throws SQLException {
+		void testDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				var result = s.executeQuery("""
 						SELECT *
@@ -60,7 +60,7 @@ class NoCleanup {
 
 		@Test
 		@Order(1)
-		public void changeDB() throws SQLException {
+		void changeDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						UPDATE "settings"
@@ -72,7 +72,7 @@ public void changeDB() throws SQLException {
 
 		@Test
 		@Order(2)
-		public void testDB() throws SQLException {
+		void testDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				var result = s.executeQuery("""
 						SELECT *

backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java

@@ -24,20 +24,20 @@ public class AuditLogResourceIT {
 	LicenseHolder licenseHolder;
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
 	@BeforeEach
-	public void beforeEach() {
+	void beforeEach() {
 		Mockito.doReturn(true).when(licenseHolder).isSet();
 		Mockito.doReturn(false).when(licenseHolder).isExpired();
 	}
 
 	@Test
 	@TestSecurity(user = "Admin", roles = {"admin"})
 	@DisplayName("As admin, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&paginationId=9999 returns 200 with 20 entries")
-	public void testGetAuditLogEntries() {
+	void testGetAuditLogEntries() {
 		given().param("startDate", "2020-02-20T00:00:00.000Z")
 				.param("endDate", "2020-02-20T23:59:59.999Z")
 				.param("paginationId", 9999L)
@@ -49,7 +49,7 @@ public void testGetAuditLogEntries() {
 	@Test
 	@TestSecurity(user = "Admin", roles = {"admin"})
 	@DisplayName("As admin, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&pageSize=10&paginationId=1000&order=asc returns 200 with 3 entries")
-	public void testGetAuditLogEntriesPageSizeAsc() {
+	void testGetAuditLogEntriesPageSizeAsc() {
 		given().param("startDate", "2020-02-20T00:00:00.000Z")
 				.param("endDate", "2020-02-20T23:59:59.999Z")
 				.param("pageSize", 3)
@@ -63,7 +63,7 @@ public void testGetAuditLogEntriesPageSizeAsc() {
 	@Test
 	@TestSecurity(user = "User", roles = {"user"})
 	@DisplayName("As user, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&pageSize=10 returns 403")
-	public void testGetAuditLogEntriesAsUser() {
+	void testGetAuditLogEntriesAsUser() {
 		when().get("/auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999ZZ&pageSize=10")
 				.then().statusCode(403);
 	}