From f30260079e077b0ffcb796050610a00fa83c892c Mon Sep 17 00:00:00 2001 From: marie flores Date: Thu, 5 Mar 2026 09:59:08 +0100 Subject: [PATCH 1/6] [backend] wip: fix local migration --- .../opencti-graphql/src/database/data-initialization.js | 2 +- .../authenticationProvider-migration.ts | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/opencti-platform/opencti-graphql/src/database/data-initialization.js b/opencti-platform/opencti-graphql/src/database/data-initialization.js index 82d25a075845..0270f895e7b6 100644 --- a/opencti-platform/opencti-graphql/src/database/data-initialization.js +++ b/opencti-platform/opencti-graphql/src/database/data-initialization.js @@ -450,7 +450,7 @@ export const initializeData = async (context, withMarkings = true) => { platform_theme: darkTheme.id, platform_language: 'auto', view_all_users: false, - local_auth: { enabled: true }, + local_auth: { enabled: true }, // TODO issue here for platform starting on v7 with local in env cert_auth: { enabled: false, description: null, diff --git a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts index ed9e157248cf..13b82651b34e 100644 --- a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts +++ b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts @@ -9,7 +9,7 @@ import type { AuthContext, AuthUser } from '../../types/user'; import { AuthenticationProviderType } from '../../generated/graphql'; import { logApp } from '../../config/conf'; import { convertAllSSOEnvProviders } from './authenticationProvider-migration-converter'; -import { addAuthenticationProvider, getAllIdentifiers, resolveProviderIdentifier } from './authenticationProvider-domain'; +import { addAuthenticationProvider, findAllAuthenticationProvider, getAllIdentifiers, resolveProviderIdentifier } from './authenticationProvider-domain'; import { isUserHasCapability, SETTINGS_SET_ACCESSES } from '../../utils/access'; import { AuthRequired } from '../../config/errors'; import { isAuthenticationProviderMigrated } from './providers-configuration'; @@ -64,11 +64,11 @@ const parseMappingStrings = (mapping: any) => { */ const migrateLocalAuthIfNeeded = async (context: AuthContext, user: AuthUser) => { const settings = await getSettings(context) as unknown as BasicStoreSettings; + const envConfigurations = nconf.get('providers') ?? {}; + const local = envConfigurations['local']; if (!settings.local_auth) { - const envConfigurations = nconf.get('providers') ?? {}; - const local = envConfigurations['local']; logApp.info('[SINGLETON-MIGRATION] local_auth is absent, creating with defaults'); - await updateLocalAuth(context, user, settings.id, { enabled: local?.enabled ?? true }); + await updateLocalAuth(context, user, settings.id, { enabled: local?.config.disabled !== true }); logApp.info('[SINGLETON-MIGRATION] local_auth successfully ensured'); } }; From 785b41ca4fd5626af9cf6b1ef1beeac5751308c5 Mon Sep 17 00:00:00 2001 From: marie flores Date: Thu, 5 Mar 2026 10:08:38 +0100 Subject: [PATCH 2/6] [backend] wip: fix local migration --- .../authenticationProvider/authenticationProvider-migration.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts index 13b82651b34e..40d09231b61f 100644 --- a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts +++ b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts @@ -9,7 +9,7 @@ import type { AuthContext, AuthUser } from '../../types/user'; import { AuthenticationProviderType } from '../../generated/graphql'; import { logApp } from '../../config/conf'; import { convertAllSSOEnvProviders } from './authenticationProvider-migration-converter'; -import { addAuthenticationProvider, findAllAuthenticationProvider, getAllIdentifiers, resolveProviderIdentifier } from './authenticationProvider-domain'; +import { addAuthenticationProvider, getAllIdentifiers, resolveProviderIdentifier } from './authenticationProvider-domain'; import { isUserHasCapability, SETTINGS_SET_ACCESSES } from '../../utils/access'; import { AuthRequired } from '../../config/errors'; import { isAuthenticationProviderMigrated } from './providers-configuration'; From d03f1c43655ef7604cf32908f94821244048c708 Mon Sep 17 00:00:00 2001 From: marie flores Date: Thu, 5 Mar 2026 10:17:38 +0100 Subject: [PATCH 3/6] [backend] wip: fix local migration --- .../src/database/data-initialization.js | 7 ++- .../authenticationProvider-migration.ts | 8 +++- .../authenticationProvider-migration-test.ts | 48 +++++++++++++++++++ 3 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts diff --git a/opencti-platform/opencti-graphql/src/database/data-initialization.js b/opencti-platform/opencti-graphql/src/database/data-initialization.js index 0270f895e7b6..8b1c41e0afc4 100644 --- a/opencti-platform/opencti-graphql/src/database/data-initialization.js +++ b/opencti-platform/opencti-graphql/src/database/data-initialization.js @@ -1,5 +1,5 @@ import validator from 'validator'; -import { addSettings } from '../domain/settings'; +import { addSettings, updateLocalAuth } from '../domain/settings'; import { BYPASS, AUTOMATION, ROLE_ADMINISTRATOR, ROLE_DEFAULT, SYSTEM_USER } from '../utils/access'; import { findByType as findEntitySettingsByType, initCreateEntitySettings } from '../modules/entitySetting/entitySetting-domain'; import { initDecayRules } from '../modules/decayRule/decayRule-domain'; @@ -26,6 +26,8 @@ import { initDefaultTheme } from '../modules/theme/theme-domain'; import { addEmailTemplate } from '../modules/emailTemplate/emailTemplate-domain'; import { DEFAULT_EMAIL_TEMPLATE_INPUT } from './default-email-template-input'; import { createRetentionRule } from '../domain/retentionRule'; +import nconf from 'nconf'; +import { isLocalAuthEnabled } from '../modules/authenticationProvider/authenticationProvider-migration'; // region Platform capabilities definition const KNOWLEDGE_CAPABILITY = 'KNOWLEDGE'; @@ -443,6 +445,7 @@ export const initializeData = async (context, withMarkings = true) => { logApp.warn(`[INIT] Platform identifier forced to [${platformId}]`); } const darkTheme = await initDefaultTheme(context); + const envConfigurations = nconf.get('providers') ?? {}; await addSettings(context, SYSTEM_USER, { internal_id: platformId, platform_title: 'OpenCTI - Cyber Threat Intelligence Platform', @@ -450,7 +453,7 @@ export const initializeData = async (context, withMarkings = true) => { platform_theme: darkTheme.id, platform_language: 'auto', view_all_users: false, - local_auth: { enabled: true }, // TODO issue here for platform starting on v7 with local in env + local_auth: { enabled: isLocalAuthEnabled(envConfigurations) }, cert_auth: { enabled: false, description: null, diff --git a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts index 40d09231b61f..51c73f1ec283 100644 --- a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts +++ b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts @@ -17,6 +17,11 @@ import nconf from 'nconf'; import { getSettings, updateCertAuth, updateHeaderAuth, updateLocalAuth } from '../../domain/settings'; import type { BasicStoreSettings } from '../../types/settings'; +export const isLocalAuthEnabled = (envProviders: Record): boolean => { + const local = envProviders['local']; + return local?.config?.disabled !== true; +}; + // --------------------------------------------------------------------------- // Provider type mapping // --------------------------------------------------------------------------- @@ -65,10 +70,9 @@ const parseMappingStrings = (mapping: any) => { const migrateLocalAuthIfNeeded = async (context: AuthContext, user: AuthUser) => { const settings = await getSettings(context) as unknown as BasicStoreSettings; const envConfigurations = nconf.get('providers') ?? {}; - const local = envConfigurations['local']; if (!settings.local_auth) { logApp.info('[SINGLETON-MIGRATION] local_auth is absent, creating with defaults'); - await updateLocalAuth(context, user, settings.id, { enabled: local?.config.disabled !== true }); + await updateLocalAuth(context, user, settings.id, { enabled: isLocalAuthEnabled(envConfigurations) }); logApp.info('[SINGLETON-MIGRATION] local_auth successfully ensured'); } }; diff --git a/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts b/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts new file mode 100644 index 000000000000..4b8a877f16ac --- /dev/null +++ b/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts @@ -0,0 +1,48 @@ +import { describe, expect, it } from 'vitest'; +import { isLocalAuthEnabled } from '../../../../src/modules/authenticationProvider/authenticationProvider-migration'; + +// ========================================================================== +// resolveLocalAuthEnabled +// ========================================================================== + +describe('resolveLocalAuthEnabled', () => { + it('should return true when no local provider is configured', () => { + expect(isLocalAuthEnabled({})).toBe(true); + }); + + it('should return true when local provider exists but disabled is not set', () => { + const providers = { local: { strategy: 'LocalStrategy', config: {} } }; + expect(isLocalAuthEnabled(providers)).toBe(true); + }); + + it('should return true when local provider disabled is explicitly false', () => { + const providers = { local: { strategy: 'LocalStrategy', config: { disabled: false } } }; + expect(isLocalAuthEnabled(providers)).toBe(true); + }); + + it('should return false when local provider disabled is explicitly true', () => { + const providers = { local: { strategy: 'LocalStrategy', config: { disabled: true } } }; + expect(isLocalAuthEnabled(providers)).toBe(false); + }); + + it('should return true when local provider has no config property', () => { + const providers = { local: { strategy: 'LocalStrategy' } }; + expect(isLocalAuthEnabled(providers)).toBe(true); + }); + + it('should not be affected by other providers being present', () => { + const providers = { + oidc: { strategy: 'OpenIDConnectStrategy', config: { disabled: true } }, + local: { strategy: 'LocalStrategy', config: { disabled: false } }, + }; + expect(isLocalAuthEnabled(providers)).toBe(true); + }); + + it('should return false when local is disabled even if other providers are enabled', () => { + const providers = { + oidc: { strategy: 'OpenIDConnectStrategy', config: { disabled: false } }, + local: { strategy: 'LocalStrategy', config: { disabled: true } }, + }; + expect(isLocalAuthEnabled(providers)).toBe(false); + }); +}); From c1dca4632fd275e919e8b7a8cdaa1f5cfb63cd1d Mon Sep 17 00:00:00 2001 From: marie flores Date: Fri, 6 Mar 2026 09:28:20 +0100 Subject: [PATCH 4/6] [backend] wip: fix local migration --- .../opencti-graphql/src/database/data-initialization.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opencti-platform/opencti-graphql/src/database/data-initialization.js b/opencti-platform/opencti-graphql/src/database/data-initialization.js index 8b1c41e0afc4..565dd08b2a8f 100644 --- a/opencti-platform/opencti-graphql/src/database/data-initialization.js +++ b/opencti-platform/opencti-graphql/src/database/data-initialization.js @@ -1,5 +1,5 @@ import validator from 'validator'; -import { addSettings, updateLocalAuth } from '../domain/settings'; +import { addSettings } from '../domain/settings'; import { BYPASS, AUTOMATION, ROLE_ADMINISTRATOR, ROLE_DEFAULT, SYSTEM_USER } from '../utils/access'; import { findByType as findEntitySettingsByType, initCreateEntitySettings } from '../modules/entitySetting/entitySetting-domain'; import { initDecayRules } from '../modules/decayRule/decayRule-domain'; From e6abed8bd850546400dceb41aaab2bff8399262a Mon Sep 17 00:00:00 2001 From: marie flores Date: Fri, 6 Mar 2026 09:41:16 +0100 Subject: [PATCH 5/6] [backend] wip: fix local migration --- .../opencti-graphql/src/database/data-initialization.js | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/opencti-platform/opencti-graphql/src/database/data-initialization.js b/opencti-platform/opencti-graphql/src/database/data-initialization.js index 565dd08b2a8f..82d25a075845 100644 --- a/opencti-platform/opencti-graphql/src/database/data-initialization.js +++ b/opencti-platform/opencti-graphql/src/database/data-initialization.js @@ -26,8 +26,6 @@ import { initDefaultTheme } from '../modules/theme/theme-domain'; import { addEmailTemplate } from '../modules/emailTemplate/emailTemplate-domain'; import { DEFAULT_EMAIL_TEMPLATE_INPUT } from './default-email-template-input'; import { createRetentionRule } from '../domain/retentionRule'; -import nconf from 'nconf'; -import { isLocalAuthEnabled } from '../modules/authenticationProvider/authenticationProvider-migration'; // region Platform capabilities definition const KNOWLEDGE_CAPABILITY = 'KNOWLEDGE'; @@ -445,7 +443,6 @@ export const initializeData = async (context, withMarkings = true) => { logApp.warn(`[INIT] Platform identifier forced to [${platformId}]`); } const darkTheme = await initDefaultTheme(context); - const envConfigurations = nconf.get('providers') ?? {}; await addSettings(context, SYSTEM_USER, { internal_id: platformId, platform_title: 'OpenCTI - Cyber Threat Intelligence Platform', @@ -453,7 +450,7 @@ export const initializeData = async (context, withMarkings = true) => { platform_theme: darkTheme.id, platform_language: 'auto', view_all_users: false, - local_auth: { enabled: isLocalAuthEnabled(envConfigurations) }, + local_auth: { enabled: true }, cert_auth: { enabled: false, description: null, From 037c64b761c7ab95489492e962c49bfae5357517 Mon Sep 17 00:00:00 2001 From: marie flores Date: Fri, 6 Mar 2026 11:28:00 +0100 Subject: [PATCH 6/6] [backend] wip: fix local migration --- .../authenticationProvider-migration.ts | 4 ++-- .../authenticationProvider-migration-test.ts | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts index 51c73f1ec283..157e9e27a6fd 100644 --- a/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts +++ b/opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts @@ -17,7 +17,7 @@ import nconf from 'nconf'; import { getSettings, updateCertAuth, updateHeaderAuth, updateLocalAuth } from '../../domain/settings'; import type { BasicStoreSettings } from '../../types/settings'; -export const isLocalAuthEnabled = (envProviders: Record): boolean => { +export const isLocalAuthEnabledInEnv = (envProviders: Record): boolean => { const local = envProviders['local']; return local?.config?.disabled !== true; }; @@ -72,7 +72,7 @@ const migrateLocalAuthIfNeeded = async (context: AuthContext, user: AuthUser) => const envConfigurations = nconf.get('providers') ?? {}; if (!settings.local_auth) { logApp.info('[SINGLETON-MIGRATION] local_auth is absent, creating with defaults'); - await updateLocalAuth(context, user, settings.id, { enabled: isLocalAuthEnabled(envConfigurations) }); + await updateLocalAuth(context, user, settings.id, { enabled: isLocalAuthEnabledInEnv(envConfigurations) }); logApp.info('[SINGLETON-MIGRATION] local_auth successfully ensured'); } }; diff --git a/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts b/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts index 4b8a877f16ac..614a0ea0b7c7 100644 --- a/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts +++ b/opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts @@ -1,5 +1,5 @@ import { describe, expect, it } from 'vitest'; -import { isLocalAuthEnabled } from '../../../../src/modules/authenticationProvider/authenticationProvider-migration'; +import { isLocalAuthEnabledInEnv } from '../../../../src/modules/authenticationProvider/authenticationProvider-migration'; // ========================================================================== // resolveLocalAuthEnabled @@ -7,27 +7,27 @@ import { isLocalAuthEnabled } from '../../../../src/modules/authenticationProvid describe('resolveLocalAuthEnabled', () => { it('should return true when no local provider is configured', () => { - expect(isLocalAuthEnabled({})).toBe(true); + expect(isLocalAuthEnabledInEnv({})).toBe(true); }); it('should return true when local provider exists but disabled is not set', () => { const providers = { local: { strategy: 'LocalStrategy', config: {} } }; - expect(isLocalAuthEnabled(providers)).toBe(true); + expect(isLocalAuthEnabledInEnv(providers)).toBe(true); }); it('should return true when local provider disabled is explicitly false', () => { const providers = { local: { strategy: 'LocalStrategy', config: { disabled: false } } }; - expect(isLocalAuthEnabled(providers)).toBe(true); + expect(isLocalAuthEnabledInEnv(providers)).toBe(true); }); it('should return false when local provider disabled is explicitly true', () => { const providers = { local: { strategy: 'LocalStrategy', config: { disabled: true } } }; - expect(isLocalAuthEnabled(providers)).toBe(false); + expect(isLocalAuthEnabledInEnv(providers)).toBe(false); }); it('should return true when local provider has no config property', () => { const providers = { local: { strategy: 'LocalStrategy' } }; - expect(isLocalAuthEnabled(providers)).toBe(true); + expect(isLocalAuthEnabledInEnv(providers)).toBe(true); }); it('should not be affected by other providers being present', () => { @@ -35,7 +35,7 @@ describe('resolveLocalAuthEnabled', () => { oidc: { strategy: 'OpenIDConnectStrategy', config: { disabled: true } }, local: { strategy: 'LocalStrategy', config: { disabled: false } }, }; - expect(isLocalAuthEnabled(providers)).toBe(true); + expect(isLocalAuthEnabledInEnv(providers)).toBe(true); }); it('should return false when local is disabled even if other providers are enabled', () => { @@ -43,6 +43,6 @@ describe('resolveLocalAuthEnabled', () => { oidc: { strategy: 'OpenIDConnectStrategy', config: { disabled: false } }, local: { strategy: 'LocalStrategy', config: { disabled: true } }, }; - expect(isLocalAuthEnabled(providers)).toBe(false); + expect(isLocalAuthEnabledInEnv(providers)).toBe(false); }); });