From 2b1ef73b6ef6ca9b3ac24d1988e6e1cff840d015 Mon Sep 17 00:00:00 2001
From: Celine Sebe <celine.sebe@filigran.io>
Date: Wed, 4 Mar 2026 16:46:47 +0100
Subject: [PATCH 1/3] [backend]fix normalisation

---
 ...henticationProvider-migration-converter.ts | 25 +++++++++++++------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts
index feaae0817293..e4466d981588 100644
--- a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts
+++ b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts
@@ -104,17 +104,26 @@ export class ConfigExtractor {
   /** Read a key and mark it as consumed. Also checks the camelCase/snake_case alias. */
   get<T = any>(key: string, defaultValue?: T): T {
     this.consumed.add(key);
+    let value: any;
     if (key in this.config) {
-      return this.config[key] as T;
-    }
-    const alias = SNAKE_TO_CAMEL[key] ?? CAMEL_TO_SNAKE[key];
-    if (alias) {
-      this.consumed.add(alias);
-      if (alias in this.config) {
-        return this.config[alias] as T;
+      value = this.config[key];
+    } else {
+      const alias = SNAKE_TO_CAMEL[key] ?? CAMEL_TO_SNAKE[key];
+      if (alias) {
+        this.consumed.add(alias);
+        if (alias in this.config) {
+          value = this.config[alias];
+        }
       }
     }
-    return defaultValue as T;
+    if (value === undefined) {
+      return defaultValue as T;
+    }
+    // Auto-convert string → boolean when the expected type is boolean
+    if (typeof defaultValue === 'boolean' && typeof value === 'string') {
+      return (value.toLowerCase() === 'true') as unknown as T;
+    }
+    return value as T;
   }
 
   /** Check if a key exists (also checks alias). */

From 8adf794372eca0ae6c15c8fdea55e37bb7f7d3dd Mon Sep 17 00:00:00 2001
From: Celine Sebe <celine.sebe@filigran.io>
Date: Wed, 4 Mar 2026 17:18:27 +0100
Subject: [PATCH 2/3] [backend]unit tests

---
 .../authenticationProvider-converter-test.ts  | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-converter-test.ts b/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-converter-test.ts
index 8cd6f35e71c9..f204881fc840 100644
--- a/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-converter-test.ts
+++ b/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-converter-test.ts
@@ -69,6 +69,60 @@ describe('ConfigExtractor', () => {
     const ext = new ConfigExtractor({ a: 1, b: 2 });
     expect(ext.getUnconsumedEntries()).toStrictEqual([['a', 1], ['b', 2]]);
   });
+
+  // --- String → boolean auto-conversion ---
+
+  it('should convert string "true" to boolean true when defaultValue is boolean', () => {
+    const ext = new ConfigExtractor({ flag: 'true' });
+    expect(ext.get<boolean>('flag', false)).toBe(true);
+  });
+
+  it('should convert string "True" to boolean true (case-insensitive)', () => {
+    const ext = new ConfigExtractor({ flag: 'True' });
+    expect(ext.get<boolean>('flag', false)).toBe(true);
+  });
+
+  it('should convert string "TRUE" to boolean true (case-insensitive)', () => {
+    const ext = new ConfigExtractor({ flag: 'TRUE' });
+    expect(ext.get<boolean>('flag', false)).toBe(true);
+  });
+
+  it('should convert string "false" to boolean false when defaultValue is boolean', () => {
+    const ext = new ConfigExtractor({ flag: 'false' });
+    expect(ext.get<boolean>('flag', true)).toBe(false);
+  });
+
+  it('should convert string "False" to boolean false (case-insensitive)', () => {
+    const ext = new ConfigExtractor({ flag: 'False' });
+    expect(ext.get<boolean>('flag', true)).toBe(false);
+  });
+
+  it('should convert string "FALSE" to boolean false (case-insensitive)', () => {
+    const ext = new ConfigExtractor({ flag: 'FALSE' });
+    expect(ext.get<boolean>('flag', true)).toBe(false);
+  });
+
+  it('should convert any non-"true" string to false when defaultValue is boolean', () => {
+    const ext = new ConfigExtractor({ flag: 'yes' });
+    expect(ext.get<boolean>('flag', true)).toBe(false);
+  });
+
+  it('should NOT convert string when defaultValue is not boolean', () => {
+    const ext = new ConfigExtractor({ val: 'true' });
+    expect(ext.get<string>('val', 'fallback')).toBe('true');
+  });
+
+  it('should NOT convert string when no defaultValue is provided', () => {
+    const ext = new ConfigExtractor({ val: 'true' });
+    expect(ext.get('val')).toBe('true');
+  });
+
+  it('should return boolean value as-is when value is already boolean', () => {
+    const ext = new ConfigExtractor({ flag: true });
+    expect(ext.get<boolean>('flag', false)).toBe(true);
+    const ext2 = new ConfigExtractor({ flag: false });
+    expect(ext2.get<boolean>('flag', true)).toBe(false);
+  });
 });
 
 // ==========================================================================

From f54fa1d30d16c6fdfea34d968fd2292dcf55735b Mon Sep 17 00:00:00 2001
From: Xavier Fournet <461943+xfournet@users.noreply.github.com>
Date: Wed, 4 Mar 2026 22:23:29 +0100
Subject: [PATCH 3/3] [backend] align allowSelfSigned with others booleans

---
 .../authenticationProvider-migration-converter.ts             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts
index e4466d981588..61843309f56a 100644
--- a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts
+++ b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration-converter.ts
@@ -633,7 +633,7 @@ export const convertLdapEnvConfig = (envKey: string, entry: EnvProviderEntry): C
   const searchFilter = ext.get<string>('search_filter', '(uid={{username}})');
   const groupSearchBase = ext.get<string>('group_search_base', '');
   const groupSearchFilter = ext.get<string>('group_search_filter', '');
-  const allowSelfSigned = ext.get<any>('allow_self_signed', false);
+  const allowSelfSigned = ext.get<boolean>('allow_self_signed', false);
 
   // Promoted fields (previously in extra_conf, now first-class)
   const searchAttributes = ext.get<string[] | null>('search_attributes', null);
@@ -686,7 +686,7 @@ export const convertLdapEnvConfig = (envKey: string, entry: EnvProviderEntry): C
     search_filter: searchFilter,
     group_base: groupSearchBase,
     group_filter: groupSearchFilter,
-    allow_self_signed: allowSelfSigned === true || allowSelfSigned === 'true',
+    allow_self_signed: allowSelfSigned,
     search_attributes: searchAttributes,
     username_field: usernameField,
     password_field: passwordField,