Issue 53534: Support Microsoft's Graph Protocol API for authentication via OAuth2 token

build.gradle

@@ -310,6 +310,31 @@ allprojects {
                     force "io.grpc:grpc-stub:${grpcVersion}"
                     force "io.grpc:grpc-xds:${grpcVersion}"
 
+                    // JNA - transitive dependency via azure-identity and docker; force for consistency
+                    force "net.java.dev.jna:jna:${jnaVersion}"
+                    force "net.java.dev.jna:jna-platform:${jnaVersion}"
+
+                    // Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
+                    force "io.netty:netty-buffer:${nettyVersion}"
+                    force "io.netty:netty-codec:${nettyVersion}"
+                    force "io.netty:netty-codec-dns:${nettyVersion}"
+                    force "io.netty:netty-codec-http:${nettyVersion}"
+                    force "io.netty:netty-codec-http2:${nettyVersion}"
+                    force "io.netty:netty-codec-socks:${nettyVersion}"
+                    force "io.netty:netty-common:${nettyVersion}"
+                    force "io.netty:netty-handler:${nettyVersion}"
+                    force "io.netty:netty-handler-proxy:${nettyVersion}"
+                    force "io.netty:netty-resolver:${nettyVersion}"
+                    force "io.netty:netty-resolver-dns:${nettyVersion}"
+                    force "io.netty:netty-resolver-dns-classes-macos:${nettyVersion}"
+                    force "io.netty:netty-resolver-dns-native-macos:${nettyVersion}"
+                    force "io.netty:netty-transport:${nettyVersion}"
+                    force "io.netty:netty-transport-classes-epoll:${nettyVersion}"
+                    force "io.netty:netty-transport-classes-kqueue:${nettyVersion}"
+                    force "io.netty:netty-transport-native-epoll:${nettyVersion}"
+                    force "io.netty:netty-transport-native-kqueue:${nettyVersion}"
+                    force "io.netty:netty-transport-native-unix-common:${nettyVersion}"
+
                     // tcrdb, cloud, SequenceAnalysis, recipe mfa, pipeline, fileTransfer, docker mcc, DiscvrLabKeyModules:Studies and api have differnet versions of these libraries, so we need to force these versions
                     force "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}"
                     force "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"

dependencyCheckSuppression.xml

@@ -183,6 +183,34 @@
         <cpe>cpe:/a:bzip2_project:bzip2</cpe>
     </suppress>
 
+    <!--
+    False positives - these CVEs cover MSAL libraries across multiple languages (Java, JavaScript, .NET, Python),
+    each versioned independently. The scanner conflates the Java msal4j library with the JavaScript
+    @azure/msal-browser/@azure/msal-node libraries. Both CVEs were fixed in msal4j 1.15.1 and 1.16.1
+    respectively; our version (1.23.1+) is not affected.
+    -->
+    <suppress>
+        <notes><![CDATA[
+        file name: msal4j-*.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-35255</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: msal4j-*.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-35255</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: msal4j-*.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
+    </suppress>
+
     <!--
     Rhino 1.7R3 is getting flagged with a potential DoS issue when toFixed() is called on very small floating point numbers.
     Upgrading to a fixed version is not trivial. See https://github.com/LabKey/internal-issues/issues/724 for details.

gradle.properties

@@ -107,6 +107,9 @@ apacheTomcatVersion=11.0.18
 # tika
 asmVersion=9.9.1
 
+# Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
+azureIdentityVersion=1.18.2
+
 # Apache Batik -- Batik version needs to be compatible with Apache FOP, but we need to pull in batik-codec separately
 batikVersion=1.19
 
@@ -228,6 +231,9 @@ jfreechartVersion=1.0.19
 
 jmockVersion=2.6.0
 
+# Transitive dependency via azure-identity and docker; force for consistency
+jnaVersion=5.18.1
+
 jodaTimeVersion=2.14.0
 
 # brought in transitively by Cloud, FileTransfer, SequenceAnalysis, etc. Need to resolve consistently
@@ -249,8 +255,14 @@ lombokVersion=1.18.42
 
 luceneVersion=10.3.2
 
+# Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API
+microsoftGraphVersion=6.59.0
+
 mssqlJdbcVersion=13.2.1.jre11
 
+# Netty - transitive dependency via azure-core-http-netty; force for CVE-2025-67735
+nettyVersion=4.2.8.Final
+
 objenesisVersion=1.0
 
 opencsvVersion=2.3

server/configs/application.properties

@@ -72,7 +72,7 @@ context.encryptionKey=@@encryptionKey@@
 #server.tomcat.max-part-header-size=512
 #server.tomcat.max-connections=250
 
-## SMTP configuration
+## SMTP configuration - if using this, comment out Microsoft Graph configuration
 mail.smtpHost=@@smtpHost@@
 mail.smtpPort=@@smtpPort@@
 mail.smtpUser=@@smtpUser@@
@@ -82,6 +82,12 @@ mail.smtpUser=@@smtpUser@@
 #mail.smtpSocketFactoryClass=@@smtpSocketFactoryClass@@
 #mail.smtpAuth=@@smtpAuth@@
 
+## Microsoft Graph configuration - if using this, comment out SMTP configuration
+#mail.graph.tenantId=@@graphTenantId@@
+#mail.graph.fromAddress=@@graphFromAddress@@
+#mail.graph.clientId=@@graphClientId@@
+#mail.graph.clientSecret=@@graphClientSecret@@
+
 # Optional - JMS configuration for remote ActiveMQ message management for distributed pipeline jobs
 # https://www.labkey.org/Documentation/wiki-page.view?name=jmsQueue
 #context.resources.jms.ConnectionFactory.type=org.apache.activemq.ActiveMQConnectionFactory

server/configs/pg.properties

@@ -5,6 +5,11 @@ smtpHost=localhost
 smtpUser=Anonymous
 smtpPort=25
 
+#graphTenantId=
+#graphFromAddress=
+#graphClientId=
+#graphClientSecret=<this should be a client secret value>
+
 databaseDefault=labkey
 databaseBootstrap=labkey2
 databaseDefaultHost=localhost
@@ -16,4 +21,4 @@ jdbcUser=postgres
 jdbcPassword=sasa
 
 # key for the encrypted property store and other potentially sensitive content
-encryptionKey=defaultKey
+encryptionKey=defaultKey

server/embedded/src/org/labkey/embedded/LabKeyServer.java

@@ -183,6 +183,12 @@ public MailProperties smtpSource()
         return new MailProperties();
     }
 
+    @Bean
+    public GraphMailProperties graphSource()
+    {
+        return new GraphMailProperties();
+    }
+
     @Bean
     public CSPFilterProperties cspSource()
     {
@@ -875,6 +881,56 @@ public void setSmtpAuth(String smtpAuth)
         }
     }
 
+    @Configuration
+    @ConfigurationProperties("mail.graph")
+    public static class GraphMailProperties
+    {
+        private String tenantId;
+        private String clientId;
+        private String clientSecret;
+        private String fromAddress;
+
+        public String getTenantId()
+        {
+            return tenantId;
+        }
+
+        public void setTenantId(String tenantId)
+        {
+            this.tenantId = tenantId;
+        }
+
+        public String getClientId()
+        {
+            return clientId;
+        }
+
+        public void setClientId(String clientId)
+        {
+            this.clientId = clientId;
+        }
+
+        public String getClientSecret()
+        {
+            return clientSecret;
+        }
+
+        public void setClientSecret(String clientSecret)
+        {
+            this.clientSecret = clientSecret;
+        }
+
+        public String getFromAddress()
+        {
+            return fromAddress;
+        }
+
+        public void setFromAddress(String fromAddress)
+        {
+            this.fromAddress = fromAddress;
+        }
+    }
+
     @Configuration
     @ConfigurationProperties("csp")
     public static class CSPFilterProperties

server/embedded/src/org/labkey/embedded/LabKeyTomcatServletWebServerFactory.java

@@ -155,8 +155,9 @@ protected TomcatWebServer getTomcatWebServer(Tomcat tomcat)
                 // Add extra resources to context (e.g. LDAP, JMS)
                 addExtraContextResources(contextProperties, context);
 
-                // Add the SMTP config
+                // Add the mail transport config (SMTP or Microsoft Graph)
                 addSmtpProperties(context);
+                addGraphProperties(context);
 
                 // Add the encryption key(s)
                 context.addParameter("EncryptionKey", contextProperties.getEncryptionKey());
@@ -409,10 +410,18 @@ private void addSmtpProperties(StandardContext context)
         // Get session/mail properties
         LabKeyServer.MailProperties mailProps = _server.smtpSource();
 
-        context.addParameter("mail.smtp.host", mailProps.getSmtpHost());
-        context.addParameter("mail.smtp.user", mailProps.getSmtpUser());
-        context.addParameter("mail.smtp.port", mailProps.getSmtpPort());
-
+        if (mailProps.getSmtpHost() != null)
+        {
+            context.addParameter("mail.smtp.host", mailProps.getSmtpHost());
+        }
+        if (mailProps.getSmtpUser() != null)
+        {
+            context.addParameter("mail.smtp.user", mailProps.getSmtpUser());
+        }
+        if (mailProps.getSmtpPort() != null)
+        {
+            context.addParameter("mail.smtp.port", mailProps.getSmtpPort());
+        }
         if (mailProps.getSmtpFrom() != null)
         {
             context.addParameter("mail.smtp.from", mailProps.getSmtpFrom());
@@ -434,4 +443,27 @@ private void addSmtpProperties(StandardContext context)
             context.addParameter("mail.smtp.auth", mailProps.getSmtpAuth());
         }
     }
+
+    private void addGraphProperties(StandardContext context)
+    {
+        // Get Microsoft Graph mail properties
+        LabKeyServer.GraphMailProperties graphProps = _server.graphSource();
+
+        if (graphProps.getTenantId() != null)
+        {
+            context.addParameter("mail.graph.tenantId", graphProps.getTenantId());
+        }
+        if (graphProps.getClientId() != null)
+        {
+            context.addParameter("mail.graph.clientId", graphProps.getClientId());
+        }
+        if (graphProps.getClientSecret() != null)
+        {
+            context.addParameter("mail.graph.clientSecret", graphProps.getClientSecret());
+        }
+        if (graphProps.getFromAddress() != null)
+        {
+            context.addParameter("mail.graph.fromAddress", graphProps.getFromAddress());
+        }
+    }
 }