v0.5.15 update

added check where the addon will only push password hashes of type {SSHA512} back to the database
  (important for backwards compatibility if WebCTRL10.0 servers are connected alongside earlier versions)
added obfuscation for a couple parameters that were getting blocked by AWS load balancer firewalls
updated dependency Jsch from 2.27.2 to 2.27.5
updated dependency pgJDBC from 42.7.7 to 42.7.8
remove ", Inc." from a couple license statements
added a minor internal API that I might invoke from other addons
minor README updates

Author: cvogt729

README.md

@@ -1,6 +1,6 @@
 # PostgreSQL_Connect
 
-WebCTRL is a trademark of Automated Logic Corporation.  Any other trademarks mentioned herein are the property of their respective owners.
+WebCTRL is a trademark of Automated Logic Corporation. Any other trademarks mentioned herein are the property of their respective owners.
 
 - [PostgreSQL\_Connect](#postgresql_connect)
   - [Feature Summary](#feature-summary)
@@ -14,7 +14,7 @@ WebCTRL is a trademark of Automated Logic Corporation.  Any other trademarks men
       - [Add-On Connection](#add-on-connection)
     - [SFTP Server](#sftp-server)
     - [Shared Settings](#shared-settings)
-  - [Synchronizaton](#synchronizaton)
+  - [Synchronization](#synchronization)
     - [Server List](#server-list)
     - [Add-On Whitelist](#add-on-whitelist)
     - [Add-On Blacklist](#add-on-blacklist)
@@ -49,7 +49,7 @@ When this WebCTRL add-on is installed and configured, it periodically communicat
 - Operator synchronization:
   - Synchronize a subnet of whitelisted operators between all connected servers
   - Create a whitelisted operator in the database, and it gets pushed out everywhere
-  - Modify your password on one server, and the change propogates to all other servers
+  - Modify your password on one server, and the change propagates to all other servers
   - Blacklist operators to delete them everywhere
   - Local operators (those that are not white or blacklisted) remain unaltered
   - WebCTRL's operator authentication provider is unaffected
@@ -196,7 +196,7 @@ In addition to the SFTP connection settings shown in the previous section, there
 | `debug` | `false` | When enabled, log messages will be more verbose. |
 | `log_expiration` | `60` | Specifies how many days to retain log messages in the database. |
 | `auto_update` | `true` | Specifies whether to attempt automatic updates for this add-on. |
-| `version` | `0.5.14` | When `auto_update` is enabled, any connected client whose add-on version is less than this value will be updated. |
+| `version` | `0.5.15` | When `auto_update` is enabled, any connected client whose add-on version is less than this value will be updated. |
 | `download_path` | `/webctrl/addons/PostgreSQL_Connect.addon` | When `auto_update` is enabled, this is the SFTP server path where the latest version add-on file will be retrieved. |
 | `license_directory` | `/webctrl/licenses` | Specifies an SFTP server directory path for where to store WebCTRL license files. |
 | `ftp_host` | `postgresql.domain.com` | SFTP server hostname or IP address. |
@@ -217,7 +217,7 @@ When trying to push out an update for the add-on, you should do things in the fo
 
 You cannot use this mechanism to automatically downgrade the add-on to an earlier version.
 
-## Synchronizaton
+## Synchronization
 
 Now that your PostgreSQL database and SFTP server is configured, this section explains how to setup synchronization of operators, add-ons, reverse SSH tunnels, and trends. We will go through each page accessible from the web UI.
 
@@ -230,7 +230,7 @@ This page lists all connected servers. If a server is decomissioned or permanent
 | ID | `1` | Internal ID which uniquely identifies the server within the PostgreSQL database. (Read-only) |
 | Name | `ACES Main Building` | User-friendly display name for the server. This defaults to the display name of the root of the Geo tree. |
 | WebCTRL Version | `8.5.002.20230323-123687` | Full version of the WebCTRL server. (Read-only) |
-| Add-On Version | `0.5.14` | Installed version of the PostgreSQL_Connect add-on. (Read-only) |
+| Add-On Version | `0.5.15` | Installed version of the PostgreSQL_Connect add-on. (Read-only) |
 | IP Address | `123.45.67.89` | External IP address of the server as viewed by the PostgreSQL database. (Read-only) |
 | Last Sync | `2024-12-02 14:05:32` | Timestamp of the last successful synchronization. If synced within the last 24 hours, the background color is green; otherwise, the background is red. (Read-only) |
 | License | `WebCTRL Premium` | Click this field to download WebCTRL's license. (Read-only) |
@@ -285,7 +285,9 @@ The table structure of this page is identical to that of the operator whitelist
 
 ### Reverse Operator Sync
 
-When whitelisted operators changes their passwords (or other attributes) locally on the WebCTRL server, the changes are pushed back to the database during the next sync interval. It can take up to two full sync cycles for the password change to propogate to other connected server. With this logic as stated, it would be possible for a local admin at one site to reset the passwords of everyone across all sites (either accidentally or maliciously). To mitigiate this possibility, the whitelisted operators being updated must have logged into the server within the past 8 hours in order for changes to propagate. Note that this reverse sync only functions on WebCTRL versions 8.5 and later.
+When whitelisted operators changes their passwords (or other attributes) locally on the WebCTRL server, the changes are pushed back to the database during the next sync interval. It can take up to two full sync cycles for the password change to propogate to other connected servers. With this logic as stated, it would be possible for a local admin at one site to reset the passwords of everyone across all sites (either accidentally or maliciously). To mitigiate this possibility, the whitelisted operators being updated must have logged into the server within the past 8 hours in order for changes to propagate.
+
+Note that this reverse sync only functions on WebCTRL versions 8.5 and 9.0. WebCTRL8.0 does not record the last login timestamp of operators, so the 8 hours propagation window cannot be determined in such cases. WebCTRL10.0 changed the default password hashing algorithm to PBKDF2. Since previous versions do not support PBKDF2, having WebCTRL10.0 hashes sync back to the database would break backwards compatibility. After sufficient time passes, we may drop support for these previous versions, and then PBKDF2 hashes will be preferred over SHA512.
 
 ### Operator Blacklist
 
@@ -464,7 +466,7 @@ CREATE INDEX webctrl_trend_data_time ON webctrl.trend_data ("time" DESC);
 
 ### Packaged Dependencies
 
-- [PostgreSQL JDBC 42.7.7](https://jdbc.postgresql.org/) - Used to connect to PostgreSQL databases.
+- [PostgreSQL JDBC 42.7.8](https://jdbc.postgresql.org/) - Used to connect to PostgreSQL databases.
 - [JSch 2.27.2](https://github.com/mwiede/jsch) - Used to connect to SFTP servers.
 - [JSON-java 20250517](https://github.com/stleary/JSON-java) - Used to encode and decode JSON data.
 

config/BUILD_DETAILS

@@ -7,38 +7,38 @@ Compilation Flags:
 --release 11
 
 Runtime Dependencies:
-addonsupport-api-addon-1.10.0
-alarmmanager-api-addon-1.10.0
-bacnet-api-core-1.10.007-20240227.1003r
-datatable-api-addon-1.10.0
-directaccess-api-addon-1.10.0
-logicbuilder-api-addon-1.10.0
-semantics-api-addon-1.10.0
-tomcat-embed-core-9.0.87
-webaccess-api-addon-1.10.0
-xdatabase-api-addon-1.10.0
-cjupdate-1.2.4
-common-9.0.002
+addonsupport-api-addon-1.11.0
+alarmmanager-api-addon-1.11.0
+bacnet-api-core-1.11.006-20250512.1103r
+datatable-api-addon-1.11.0
+directaccess-api-addon-1.11.0
+logicbuilder-api-addon-1.11.0
+semantics-api-addon-1.11.0
+tomcat-embed-core-9.0.107
+webaccess-api-addon-1.11.0
+xdatabase-api-addon-1.11.0
+cjupdate-1.2.5
+common-10.0.002
 commonbaseutils-2.0.5
-commonexceptions-9.0.002
-core-9.0.002
-core-api-9.0.002
-databasebridge-9.0.002
-datatable-9.0.002
-directaccess-9.0.002
-directaccess-api-9.0.002
-extensionsupport-api-9.0.002
-launcher-3.0.10
-serviceframework-9.0.002
-spring-context-5.3.33
-update-api-9.0.002
-webserver-api-9.0.002
-webui-9.0.002
+commonexceptions-10.0.002
+core-10.0.002
+core-api-10.0.002
+databasebridge-10.0.002
+datatable-10.0.002
+directaccess-10.0.002
+directaccess-api-10.0.002
+extensionsupport-api-10.0.002
+launcher-3.0.12
+serviceframework-10.0.002
+spring-context-5.3.39
+update-api-10.0.002
+webserver-api-10.0.002
+webui-10.0.002
 
 Packaged Dependencies:
-jsch-2.27.2-sources
-jsch-2.27.2
+jsch-2.27.5-sources
+jsch-2.27.5
 json-20250517-sources
 json-20250517
-postgresql-42.7.7-sources
-postgresql-42.7.7
+postgresql-42.7.8-sources
+postgresql-42.7.8

config/EXTERNAL_DEPS

@@ -1,6 +1,6 @@
-url:postgresql-42.7.7.jar:https://repo1.maven.org/maven2/org/postgresql/postgresql/42.7.7/postgresql-42.7.7.jar
-url:postgresql-42.7.7-sources.jar:https://repo1.maven.org/maven2/org/postgresql/postgresql/42.7.7/postgresql-42.7.7-sources.jar
-url:jsch-2.27.2.jar:https://repo1.maven.org/maven2/com/github/mwiede/jsch/2.27.2/jsch-2.27.2.jar
-url:jsch-2.27.2-sources.jar:https://repo1.maven.org/maven2/com/github/mwiede/jsch/2.27.2/jsch-2.27.2-sources.jar
+url:postgresql-42.7.8.jar:https://repo1.maven.org/maven2/org/postgresql/postgresql/42.7.8/postgresql-42.7.8.jar
+url:postgresql-42.7.8-sources.jar:https://repo1.maven.org/maven2/org/postgresql/postgresql/42.7.8/postgresql-42.7.8-sources.jar
+url:jsch-2.27.5.jar:https://repo1.maven.org/maven2/com/github/mwiede/jsch/2.27.5/jsch-2.27.5.jar
+url:jsch-2.27.5-sources.jar:https://repo1.maven.org/maven2/com/github/mwiede/jsch/2.27.5/jsch-2.27.5-sources.jar
 url:json-20250517.jar:https://repo1.maven.org/maven2/org/json/json/20250517/json-20250517.jar
 url:json-20250517-sources.jar:https://repo1.maven.org/maven2/org/json/json/20250517/json-20250517-sources.jar

root/info.xml

@@ -1,7 +1,7 @@
 <extension version="1">
   <name>PostgreSQL_Connect</name>
   <description>Periodically synchronizes operators, add-ons, and specified trends with an external PostgreSQL database.</description>
-  <version>0.5.14</version>
+  <version>0.5.15</version>
   <vendor>Automatic Controls Equipment Systems, Inc.</vendor>
   <system-menu-provider>aces.webctrl.postgresql.web.SystemMenuEditor</system-menu-provider>
 </extension>

src/aces/webctrl/postgresql/core/ExternalAPI.java

@@ -0,0 +1,15 @@
+package aces.webctrl.postgresql.core;
+import java.util.*;
+public class ExternalAPI {
+  private final static HashMap<String,Long> loginTimestampOverrides = new HashMap<>();
+  public static void simulateLogin(String username){
+    final long cur = System.currentTimeMillis();
+    loginTimestampOverrides.put(username.toLowerCase(), cur);
+    Initializer.log("ExternalAPI simulated login for user: " + username);
+    final long lim = cur - 86400000L;
+    loginTimestampOverrides.values().removeIf(timestamp -> timestamp < lim);
+  }
+  protected static long getLoginOverride(String username){
+    return loginTimestampOverrides.getOrDefault(username, 0L);
+  }
+}

src/aces/webctrl/postgresql/core/OperatorData.java

@@ -50,7 +50,7 @@ public void write(OperatorLink link, CoreNode op, boolean admin) throws CoreNotF
     }
     if (obj instanceof OperatorData){
       OperatorData op = (OperatorData)obj;
-      return lvl5_auto_collapse==op.lvl5_auto_collapse && (Sync.excludeAutoLogoutTime || lvl5_auto_logout==op.lvl5_auto_logout) && username.equals(op.username) && display_name.equals(op.display_name) && password.equals(op.password);
+      return lvl5_auto_collapse==op.lvl5_auto_collapse && (Sync.excludeAutoLogoutTime || lvl5_auto_logout==op.lvl5_auto_logout) && username.equals(op.username) && display_name.equals(op.display_name) && (password.equals(op.password) || op.password==null || !op.password.startsWith("{SSHA512}"));
     }else{
       return false;
     }
@@ -67,7 +67,7 @@ public String query(OperatorData op){
       }
       sb.append(" \"display_name\" = ").append(Utility.escapePostgreSQL(op.display_name));
     }
-    if (!password.equals(op.password)){
+    if (!password.equals(op.password) && op.password!=null && op.password.startsWith("{SSHA512}")){
       if (first){
         first = false;
       }else{

src/aces/webctrl/postgresql/core/SerializationStream.java

@@ -1,6 +1,6 @@
 /*
   BSD 3-Clause License
-  Copyright (c) 2022, Automatic Controls Equipment Systems, Inc.
+  Copyright (c) 2022, Automatic Controls Equipment Systems
   Contributors: Cameron Vogt (@cvogt729)
 */
 package aces.webctrl.postgresql.core;
@@ -177,6 +177,22 @@ public void writeRaw(byte[] arr, int offset, int length){
   public void write(String str){
     write(str.getBytes(StandardCharsets.UTF_8));
   }
+  /**
+   * Encodes the given string into UTF_8 bytes and writes to the stream.
+   * Optionally obfuscate the bytes.
+   * <ul><li>Required capacity: {@code str.getBytes(StandardCharsets.UTF_8).length+4}</li></ul>
+   */
+  public void write(String str, boolean obfuscate){
+    if (obfuscate){
+      byte[] arr = str.getBytes(StandardCharsets.UTF_8);
+      for (int i=1;i<arr.length;++i){
+        arr[i]^=arr[i-1];
+      }
+      write(arr);
+    }else{
+      write(str);
+    }
+  }
   /**
    * Reads a single byte from the stream.
    */
@@ -255,6 +271,19 @@ public int readBytes(byte[] arr, int offset){
   public String readString(){
     return new String(readBytes(), StandardCharsets.UTF_8);
   }
+  /**
+   * Reads a UTF_8 encoded string from the stream.
+   * Optionally de-obfuscate the bytes.
+   */
+  public String readString(boolean obfuscate){
+    byte[] arr = readBytes();
+    if (obfuscate){
+      for (int i=arr.length-1;i>0;--i){
+        arr[i]^=arr[i-1];
+      }
+    }
+    return new String(arr, StandardCharsets.UTF_8);
+  }
   /**
    * @return a {@code ByteBuffer} wrapping the data of this stream.
    */

src/aces/webctrl/postgresql/core/Sync.java

@@ -112,9 +112,9 @@ public Sync(Event event, String... args){
                 for (int i=1;i<args.length;++i){
                   if (Initializer.stop){ return; }
                   if (debug){
-                    if (args[i].startsWith("INSERT INTO webctrl.operator_whitelist ") && !args[i].contains("{SSHA512}")){
+                    if (args[i].startsWith("INSERT INTO webctrl.operator_whitelist ") && !args[i].contains("{SSHA512}") && !args[i].contains("{PBKDF2}")){
                       Initializer.log("INSERT INTO webctrl.operator_whitelist VALUES (**Sensitive Information**);");
-                    }else if (args[i].startsWith("UPDATE webctrl.operator_whitelist ") && !args[i].contains("{SSHA512}")){
+                    }else if (args[i].startsWith("UPDATE webctrl.operator_whitelist ") && !args[i].contains("{SSHA512}") && !args[i].contains("{PBKDF2}")){
                       Initializer.log("UPDATE webctrl.operator_whitelist SET (**Sensitive Information**);");
                     }else{
                       Initializer.log(args[i]);
@@ -237,7 +237,7 @@ public void execute(SystemAccess sys){
                 String opname;
                 for (CoreNode op:link.getOperators()){
                   opname = op.getAttribute(CoreNode.KEY).toLowerCase();
-                  if ((x = operatorWhitelist.get(opname))!=null && (link.getLastLogin(op)+28800L)*1000L>lastSyncTime){
+                  if ((x = operatorWhitelist.get(opname))!=null && (Math.max(ExternalAPI.getLoginOverride(opname),link.getLastLogin(op))+28800L)*1000L>lastSyncTime){
                     y = new OperatorData(op,opname);
                     if (!x.equals(y)){
                       opUpdates.add(x.query(y));

src/aces/webctrl/postgresql/core/Utility.java

@@ -1,6 +1,6 @@
 /*
   BSD 3-Clause License
-  Copyright (c) 2022, Automatic Controls Equipment Systems, Inc.
+  Copyright (c) 2022, Automatic Controls Equipment Systems
   Contributors: Cameron Vogt (@cvogt729)
 */
 package aces.webctrl.postgresql.core;
@@ -647,6 +647,12 @@ public static char[] obfuscate(char[] arr){
     }
     return arr;
   }
+  /**
+   * Reverses the order and XORs each character with 4.
+   */
+  public static String obfuscate(String str){
+    return new String(obfuscate(str.toCharArray()));
+  }
   /**
    * @return a {@code String} containing the stack trace of the given {@code Throwable}.
    */

src/aces/webctrl/postgresql/resources/FindTrendsPage.html

@@ -1,8 +1,3 @@
-<!--
-  BSD 3-Clause License
-  Copyright (c) 2022, Automatic Controls Equipment Systems, Inc.
-  Contributors: Cameron Vogt (@cvogt729)
--->
 <!DOCTYPE html>
 <html lang="en">
   <head>