8000 fix(config-api): asset mgt error handling and SAML TR spec by pujavs · Pull Request #9082 · JanssenProject/jans · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(config-api): asset mgt error handling and SAML TR spec #9082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Aug 2, 2024
Merged

fix(config-api): asset mgt error handling and SAML TR spec #9082

merged 10 commits into from
Aug 2, 2024

Conversation

pujavs
Copy link
Contributor
@pujavs pujavs commented Aug 1, 2024

Prepare

Description

  1. Issue#8971: added trust relationship schema attribute description
  2. Issue#9060: making asset file optional for update operation
  3. Issue#9073: service module validation

Target issue

closes #8971 , #9060, #9073

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

pujavs added 9 commits July 29, 2024 20:50
@pujavs
doc(config-api): attribite spec for saml trust relationship
d80c58c 
Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
Merge branch 'main' of https://github.com/JanssenProject/jans into ja…
e225f79 
…ns-config-api-fix
@pujavs
Merge branch 'main' of https://github.com/JanssenProject/jans into ja…
c8f60f4 
…ns-config-api-fix
@pujavs
feat(config-api): asset mgt update enhancement to make asset file opt…
87fe31d 
…ional

Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
Merge branch 'main' of https://github.com/JanssenProject/jans into ja…
55c0d2f 
…ns-config-api-fix
@pujavs
fix(config-api): validate asset service dir
0904be6 
Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
Merge branch 'main' of https://github.com/JanssenProject/jans into ja…
b18eb6c 
…ns-config-api-fix
@pujavs
feat(config-api): asset mgt validation
9510021 
Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
Merge branch 'main' of https://github.com/JanssenProject/jans into ja…
2c9a867 
…ns-config-api-fix
@pujavs pujavs requested a review from devrimyatar August 1, 2024 17:05
@pujavs pujavs requested review from yuriyz and yurem as code owners August 1, 2024 17:05
@dryrunsecurity DryRunSecurity
Copy link
dryrunsecurity bot commented Aug 1, 2024
edited
Loading

DryRun Security Summary

The pull request covers various updates to the Jans Config API application, including improvements to security-related aspects such as input validation, secure data handling, access control, and asset management, with a focus on enhancing the overall security and reliability of the application.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the Jans Config API application, including updates to the User Management plugin, the SAML-related functionality, the Asset Management resource, and the Swagger documentation. From an application security perspective, the changes generally introduce improvements to security-related aspects, such as input validation, error handling, secure data handling, and access control.

The key security-related highlights include:

  1. Proper input validation and sanitization to prevent injection attacks when handling user data and SAML metadata.
  2. Secure storage and handling of sensitive user data and SAML-related configurations, such as client secrets and logout URLs.
  3. Implementing appropriate access controls and authorization mechanisms to restrict access to sensitive operations and configurations.
  4. Robust logging and monitoring mechanisms to track and audit security-relevant activities.
  5. Handling of file uploads and asset management with a focus on security, including validation of file extensions and secure file handling.

Overall, the changes appear to be focused on enhancing the security and reliability of the Jans Config API application. While there are no obvious security vulnerabilities introduced, it is important to ensure that the implementation of these features follows best practices for secure application development and deployment.

Files Changed:

  1. jans-config-api/plugins/docs/user-mgt-plugin-swagger.yaml: Updates the schema definition for the CustomUser object, introducing new properties for enhanced user management capabilities. The changes do not introduce any obvious security vulnerabilities, but proper input validation and secure data handling should be ensured.

  2. jans-config-api/plugins/kc-saml-plugin/src/main/java/io/jans/configapi/plugin/saml/model/TrustRelationship.java: Adds Swagger annotations to the TrustRelationship class, highlighting the need for secure handling of sensitive data, proper input validation, and appropriate consent and authorization mechanisms.

  3. jans-config-api/plugins/docs/kc-saml-plugin-swagger.yaml: Updates the Swagger documentation for the SAML-related functionality, including the management of Identity Providers, Trust Relationships, and SAML configurations. Security considerations include secure SAML configuration, metadata validation, and robust error handling and input validation.

  4. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java: Improves the security and robustness of the asset management functionality, including enhanced validation, error handling, input sanitization, and secure file handling.

  5. jans-config-api/docs/jans-config-api-swagger.yaml: Updates the Swagger documentation with new scopes, attributes, and configuration options, which do not introduce any obvious security concerns.

  6. jans-config-api/server/src/main/java/io/jans/configapi/service/auth/AssetService.java: Enhances the security and reliability of the asset management functionality, including input validation, secure file handling, and least privilege access control.

Code Analysis

We ran 9 analyzers against 6 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-jans-config-api Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality labels Aug 1, 2024
@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 1, 2024

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuriyz yuriyz enabled auto-merge (squash) August 2, 2024 09:05
@yuriyz yuriyz merged commit a6a1850 into main Aug 2, 2024
9 of 10 checks passed
@yuriyz yuriyz deleted the jans-config-api-fix branch August 2, 2024 09:06
@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 2, 2024

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 2, 2024

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 2, 2024

Quality Gate Passed Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@pujavs pujavs mentioned this pull request Aug 9, 2024
Closed
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@pujavs
fix(config-api): asset mgt error handling and SAML TR spec (#9082)
3c477ac 
* doc(config-api): attribite spec for saml trust relationship

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset mgt update enhancement to make asset file optional

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): validate asset service dir

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset mgt validation

Signed-off-by: pujavs <pujas.works@gmail.com>

---------

Signed-off-by: pujavs <pujas.works@gmail.com>
Former-commit-id: a6a1850
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@devrimyatar devrimyatar devrimyatar approved these changes

@yurem yurem Awaiting requested review from yurem yurem is a code owner

Assignees
No one assigned
Labels
comp-jans-config-api Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

doc(config-api): trust relationship schema attribute
4 participants
@pujavs @yuriyz @devrimyatar @mo-auto
0