Merge branch 'release/v11.2.6' of https://github.com/utmstack/UTMStack into release/v11.2.6

Author: JocLRojas

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -161,6 +161,7 @@ public final class Constants {
 
     public static final String CONF_TYPE_PASSWORD = "password";
     public static final String CONF_TYPE_FILE = "file";
+    public static final String MASKED_VALUE = "*****";
 
     public static final String API_KEY_HEADER = "Utm-Api-Key";
     public static final List<String> API_ENDPOINT_IGNORE = Collections.emptyList();

backend/src/main/java/com/park/utmstack/domain/application_modules/factory/impl/ModuleSocAi.java

@@ -45,16 +45,6 @@ public List<ModuleRequirement> checkRequirements(Long serverId) throws Exception
     public List<ModuleConfigurationKey> getConfigurationKeys(Long groupId) throws Exception {
         List<ModuleConfigurationKey> keys = new ArrayList<>();
 
-        // soc_ai_key
-        keys.add(ModuleConfigurationKey.builder()
-            .withGroupId(groupId)
-            .withConfKey("utmstack.socai.key")
-            .withConfName("Key")
-            .withConfDescription("OpenAI Connection key")
-            .withConfDataType("password")
-            .withConfRequired(true)
-            .build());
-
         keys.add(ModuleConfigurationKey.builder()
             .withGroupId(groupId)
             .withConfKey("utmstack.socai.incidentCreation")

backend/src/main/java/com/park/utmstack/domain/application_modules/validators/UtmModuleConfigValidator.java

@@ -35,12 +35,15 @@ public boolean validate(UtmModule module, List<UtmModuleGroupConfiguration> keys
         List<UtmModuleGroupConfDTO> configDTOs = dbConfigs.stream()
                 .map(dbConf -> {
                     UtmModuleGroupConfiguration override = findInKeys(keys, dbConf.getConfKey());
-                    UtmModuleGroupConfiguration source = override != null ? override : dbConf;
-
-                    return new UtmModuleGroupConfDTO(
-                            source.getConfKey(),
-                            override != null ? source.getConfValue() : decryptIfNeeded(source.getConfDataType(), source.getConfValue())
-                    );
+                    String value;
+                    if (override != null && !Constants.MASKED_VALUE.equals(override.getConfValue())) {
+                        // User provided a new value — use it as plaintext
+                        value = override.getConfValue();
+                    } else {
+                        // No override or masked — decrypt from DB
+                        value = decryptIfNeeded(dbConf.getConfDataType(), dbConf.getConfValue());
+                    }
+                    return new UtmModuleGroupConfDTO(dbConf.getConfKey(), value);
                 })
                 .toList();
 

backend/src/main/java/com/park/utmstack/service/UtmIntegrationConfService.java

@@ -40,7 +40,8 @@ public UtmIntegrationConf save(UtmIntegrationConf utmIntegrationConf) throws Exc
         final String ctx = CLASSNAME + ".save";
         try {
             String dataType = utmIntegrationConf.getConfDatatype();
-            if (StringUtils.hasText(dataType) && dataType.equals("password"))
+            if (StringUtils.hasText(dataType) && dataType.equals("password")
+                    && !Constants.MASKED_VALUE.equals(utmIntegrationConf.getConfValue()))
                 utmIntegrationConf.setConfValue(CipherUtil.encrypt(utmIntegrationConf.getConfValue(), System.getenv(Constants.ENV_ENCRYPTION_KEY)));
             return utmIntegrationConfRepository.save(utmIntegrationConf);
         } catch (Exception e) {

backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupConfigurationService.java

@@ -50,22 +50,41 @@ public void createConfigurationKeys(List<UtmModuleGroupConfiguration> keys) thro
     }
 
     /**
-     * Update configuration of the application modules
-     *
-     * @param keys List of configuration keys to save
+     * Update configuration of the application modules.
+     * Password/file fields with the masked value are skipped (not changed).
+     * Password/file fields with a new value are encrypted before saving.
      */
     public UtmModule updateConfigurationKeys(Long moduleId, List<UtmModuleGroupConfiguration> keys) {
         final String ctx = CLASSNAME + ".updateConfigurationKeys";
         try {
             if (CollectionUtils.isEmpty(keys))
                 throw new ApiException("No configuration keys were provided to update", HttpStatus.BAD_REQUEST);
+
             for (UtmModuleGroupConfiguration key : keys) {
+                boolean isSensitive = isSensitiveType(key.getConfDataType());
+
+                // Skip masked values — the user did not change this field
+                if (isSensitive && Constants.MASKED_VALUE.equals(key.getConfValue())) {
+                    continue;
+                }
+
                 if (key.getConfRequired() && !StringUtils.hasText(key.getConfValue()))
                     throw new Exception(String.format("No value was found for required configuration: %1$s (%2$s)", key.getConfName(), key.getConfKey()));
-                if (key.getConfDataType().equals("password") || key.getConfDataType().equals("file"))
+
+                // Encrypt new sensitive values
+                if (isSensitive) {
                     key.setConfValue(CipherUtil.encrypt(key.getConfValue(), System.getenv(Constants.ENV_ENCRYPTION_KEY)));
+                }
+            }
+
+            // Remove masked entries so they don't overwrite DB values
+            List<UtmModuleGroupConfiguration> toSave = keys.stream()
+                .filter(k -> !(isSensitiveType(k.getConfDataType()) && Constants.MASKED_VALUE.equals(k.getConfValue())))
+                .collect(Collectors.toList());
+
+            if (!toSave.isEmpty()) {
+                moduleConfigurationRepository.saveAll(toSave);
             }
-            moduleConfigurationRepository.saveAll(keys);
 
             List<ModuleName> needRestartModules = Arrays.asList(ModuleName.AWS_IAM_USER, ModuleName.AZURE,
                     ModuleName.GCP, ModuleName.SOPHOS);
@@ -83,32 +102,27 @@ public UtmModule updateConfigurationKeys(Long moduleId, List<UtmModuleGroupConfi
     }
 
     /**
-     * Find all configurations of a module group
-     *
-     * @param groupId Identifier of the group to get the configurations
-     * @return A list of configuration of a group
-     * @throws Exception In case of any error
+     * Find all configurations of a module group.
+     * Sensitive values (password, file) are masked before returning.
      */
     public List<UtmModuleGroupConfiguration> findAllByGroupId(Long groupId) throws Exception {
         final String ctx = CLASSNAME + ".findAllByGroupId";
         try {
-            return moduleConfigurationRepository.findAllByGroupId(groupId);
+            List<UtmModuleGroupConfiguration> configs = moduleConfigurationRepository.findAllByGroupId(groupId);
+            maskSensitiveValues(configs);
+            return configs;
         } catch (Exception e) {
             throw new Exception(ctx + ": " + e.getMessage());
         }
     }
 
     /**
      * Gets all configuration parameter for a group and convert it to a map
-     *
-     * @param groupId Identifier of a group
-     * @return A map with the module group configuration
-     * @throws Exception In case of any error
      */
     public Map<String, String> getGroupConfigurationAsMap(Long groupId) throws Exception {
         final String ctx = CLASSNAME + ".getGroupConfigurationAsMap";
         try {
-            List<UtmModuleGroupConfiguration> configurations = findAllByGroupId(groupId);
+            List<UtmModuleGroupConfiguration> configurations = moduleConfigurationRepository.findAllByGroupId(groupId);
 
             if (CollectionUtils.isEmpty(configurations))
                 return Collections.emptyMap();
@@ -121,18 +135,30 @@ public Map<String, String> getGroupConfigurationAsMap(Long groupId) throws Excep
 
     /**
      * Find a configuration parameter by his group and key
-     *
-     * @param groupId Identifier of the group to the param belongs
-     * @param confKey Key word of the configuration parameter
-     * @return A ${@link UtmModuleGroupConfiguration} object with the configuration parameter information
-     * @throws Exception In case of any error
      */
     public UtmModuleGroupConfiguration findByGroupIdAndConfKey(Long groupId, String confKey) throws Exception {
         final String ctx = CLASSNAME + ".findByGroupIdAndConfKey";
         try {
-            return moduleConfigurationRepository.findByGroupIdAndConfKey(groupId, confKey);
+            UtmModuleGroupConfiguration config = moduleConfigurationRepository.findByGroupIdAndConfKey(groupId, confKey);
+            if (config != null && isSensitiveType(config.getConfDataType())) {
+                config.setConfValue(Constants.MASKED_VALUE);
+            }
+            return config;
         } catch (Exception e) {
             throw new Exception(ctx + ": " + e.getMessage());
         }
     }
+
+    private boolean isSensitiveType(String dataType) {
+        return Constants.CONF_TYPE_PASSWORD.equals(dataType) || Constants.CONF_TYPE_FILE.equals(dataType);
+    }
+
+    private void maskSensitiveValues(List<UtmModuleGroupConfiguration> configs) {
+        if (configs == null) return;
+        for (UtmModuleGroupConfiguration config : configs) {
+            if (isSensitiveType(config.getConfDataType()) && StringUtils.hasText(config.getConfValue())) {
+                config.setConfValue(Constants.MASKED_VALUE);
+            }
+        }
+    }
 }

backend/src/main/java/com/park/utmstack/service/application_modules/UtmModuleGroupService.java

@@ -250,6 +250,9 @@ public void updateCollectorConfigurationKeys(CollectorConfigDTO collectorConfig)
             } else {
                 for (UtmModuleGroupConfiguration key : keys) {
                     if (key.getConfDataType().equals("password")) {
+                        if (Constants.MASKED_VALUE.equals(key.getConfValue())) {
+                            continue;
+                        }
                         key.setConfValue(CipherUtil.encrypt(key.getConfValue(), System.getenv(Constants.ENV_ENCRYPTION_KEY)));
                     }
                 }

backend/src/main/java/com/park/utmstack/service/collectors/CollectorOpsService.java

@@ -436,6 +436,9 @@ public void updateCollectorConfigurationKeys(CollectorConfigDTO collectorConfig)
                 utmModuleGroupRepository.deleteAll(configs);
             } else {
                 for (UtmModuleGroupConfiguration key : keys) {
+                    if (key.getConfDataType().equals("password") && Constants.MASKED_VALUE.equals(key.getConfValue())) {
+                        continue;
+                    }
                     if (key.getConfRequired() && !StringUtils.hasText(key.getConfValue()))
                         throw new Exception(String.format("No value was found for required configuration: %1$s (%2$s)", key.getConfName(), key.getConfKey()));
                     if (key.getConfDataType().equals("password"))

backend/src/main/java/com/park/utmstack/web/rest/application_modules/UtmModuleGroupResource.java

@@ -131,7 +131,19 @@ public ResponseEntity<UtmModuleGroup> updateUtmConfigurationGroup(@Valid @Reques
     public ResponseEntity<List<UtmModuleGroup>> getModuleGroups(@RequestParam Long moduleId) {
         final String ctx = CLASSNAME + ".getModuleGroups";
         try {
-            return ResponseEntity.ok(moduleGroupService.findAllByModuleId(moduleId));
+            List<UtmModuleGroup> groups = moduleGroupService.findAllByModuleId(moduleId);
+            for (UtmModuleGroup group : groups) {
+                if (group.getModuleGroupConfigurations() != null) {
+                    for (UtmModuleGroupConfiguration conf : group.getModuleGroupConfigurations()) {
+                        if ((Constants.CONF_TYPE_PASSWORD.equals(conf.getConfDataType())
+                                || Constants.CONF_TYPE_FILE.equals(conf.getConfDataType()))
+                                && conf.getConfValue() != null) {
+                            conf.setConfValue(Constants.MASKED_VALUE);
+                        }
+                    }
+                }
+            }
+            return ResponseEntity.ok(groups);
         } catch (Exception e) {
             String msg = ctx + ": " + e.getMessage();
             log.error(msg);

backend/src/main/resources/config/liquibase/changelog/20260409002_update_socai_config.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20260409002" author="Yorjander">
+        <sql>
+            UPDATE utm_module
+            SET module_description = 'SOC AI uses advanced language models to investigate Security Operations Center alerts by analyzing large volumes of data, identifying patterns, and providing insights into potential security incidents. By leveraging natural language processing capabilities, security analysts can efficiently triage alerts, prioritize threats, and gather contextual information to aid in incident response and remediation.',
+                module_icon = 'soc-ai.svg'
+            WHERE module_name = 'SOC_AI';
+
+            UPDATE utm_module_group_configuration
+            SET conf_visibility = '{"dependsOn": "utmstack.socai.provider", "values": ["custom"]}'
+            WHERE conf_key = 'utmstack.socai.url';
+
+            UPDATE utm_module_group_configuration
+            SET conf_visibility = '{"dependsOn": "utmstack.socai.provider", "values": ["anthropic", "custom"]}'
+            WHERE conf_key = 'utmstack.socai.maxTokens';
+
+            DELETE FROM utm_module_group_configuration
+            WHERE conf_key = 'utmstack.socai.key';
+        </sql>
+    </changeSet>
+</databaseChangeLog>

backend/src/main/resources/config/liquibase/master.xml

@@ -591,4 +591,6 @@
 
   <include file="/config/liquibase/changelog/20260409001_add_shell_to_alert_response_rule.xml" relativeToChangelogFile="false"/>
 
+  <include file="/config/liquibase/changelog/20260409002_update_socai_config.xml" relativeToChangelogFile="false"/>
+
 </databaseChangeLog>