Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-pycloudlib): add support reading configuration from file #9037

Merged
merged 23 commits into from
Aug 27, 2024
Merged

feat(jans-pycloudlib): add support reading configuration from file #9037

merged 23 commits into from
Aug 27, 2024

Conversation

iromli
Copy link
Contributor

@iromli iromli commented Jul 26, 2024
edited
Loading

Prepare

Description

Overview:

  • password files for persistence are optional, they will be pre-populated from local/remote secrets if files are missing
  • Vault RoleID and SecretID files are optional, they will be pre-populated from local/remote secrets if files are missing
  • changes to charts will be added in next PRs to avoid huge diff with main branch

Target issue

closes #9035

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@iromli
feat(jans-pycloudlib): add support reading configuration from file
2ac918b 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 26, 2024
edited
Loading

DryRun Security Summary

This pull request covers a wide range of security and reliability improvements across multiple components of the Jans application suite, including secure persistence configuration, credential and secrets management, configuration updates, data migration, dependency management, and startup/initialization processes.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates and improvements to the Jans application's security and reliability. The changes span multiple components, including the Jans Auth Server, Jans Casa, Jans Config API, Jans FIDO2, Jans Keycloak Link, Jans Link, and the Jans Persistence Loader.

The key security-related aspects of these changes include:

  1. Secure Persistence Configuration: The code ensures that the application's persistence layer (LDAP, SQL, Couchbase, Spanner) is properly configured and that sensitive information, such as passwords and certificates, is securely managed and synchronized across the different backends.

  2. Secure Credential and Secrets Management: The code handles the generation, storage, and synchronization of various credentials and secrets, including client IDs, client secrets, user passwords, and SSL/TLS certificates, to maintain the application's overall security.

  3. Secure Configuration Updates: The code includes mechanisms to update the application's dynamic, static, and error configurations during the upgrade process, ensuring that the configurations remain secure and up-to-date.

  4. Secure Data Migration: The code handles the migration of data, such as SCIM entries, profiles, and client configurations, during the upgrade process, ensuring that the application's security posture is maintained.

  5. Secure Dependency Management: The code manages the application's dependencies, including the extraction and inclusion of common libraries, to ensure that the application is using secure and up-to-date components.

  6. Secure Startup and Initialization: The code includes various checks and validation steps to ensure that the application's startup and initialization processes are secure and reliable, such as waiting for the persistence layer to be available and validating the configuration settings.

Overall, the code changes in this pull request demonstrate a strong focus on improving the security and reliability of the Jans application suite, with a particular emphasis on secure persistence management, credential handling, configuration updates, and data migration processes.

Files Changed:

The changes in this pull request span multiple files across the Jans application suite, including:

  • docker-jans-auth-server/scripts/bootstrap.py: Handles the configuration and setup of the Jans Auth Server's persistence layer, logging, and SSL/TLS certificates.
  • docker-jans-auth-server/scripts/upgrade.py: Updates the dynamic configuration and client scopes for the Lock feature in the Jans Auth Server.
  • docker-jans-auth-server/scripts/wait.py: Removes the wait_for_persistence function call, potentially optimizing the startup process.
  • docker-jans-auth-server/scripts/mod_context.py: Manages the extraction and inclusion of common libraries for the Jans Auth Server.
  • docker-jans-casa/scripts/bootstrap.py: Configures the persistence layer, secrets management, and logging for the Jans Casa application.
  • docker-jans-casa/scripts/mod_context.py: Updates the import path for the PersistenceMapper class.
  • docker-jans-casa/scripts/wait.py: Removes the wait_for_persistence function call.
  • docker-jans-casa/scripts/upgrade.py: Updates the dynamic, static, and error configurations for the FIDO2 module in the Jans Casa application.
  • docker-jans-config-api/scripts/mod_context.py: Manages the extraction and inclusion of common libraries for the Jans Config API application.
  • docker-jans-config-api/scripts/bootstrap.py: Configures the persistence layer, SSL/TLS certificates, and logging for the Jans Config API application.
  • docker-jans-config-api/scripts/upgrade.py: Updates the API dynamic configuration, client scopes, and other settings during the upgrade process.
  • docker-jans-fido2/scripts/bootstrap.py: Configures the persistence layer, SSL/TLS certificates, and logging for the Jans FIDO2 application.
  • docker-jans-fido2/scripts/mod_context.py: Updates the import path for the PersistenceMapper class.
  • docker-jans-fido2/scripts/wait.py: Removes the wait_for_persistence_conn function call.
  • docker-jans-fido2/scripts/upgrade.py: Updates the dynamic, static, and error configurations

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 20 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-jans-pycloudlib kind-feature Issue or PR is a new feature request labels Jul 26, 2024
@iromli
tests(jans-pycloudlib): adjust testcases
8104fa0 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli iromli self-assigned this Jul 29, 2024
iromli and others added 9 commits July 30, 2024 02:48
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

iromli and others added 11 commits August 20, 2024 23:30
@iromli
refactor: handle mounted password files
4120ae2 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
refactor: handle mounted files in OCI images
d60a048 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
fix: ensure couchbase password files are exist
ae91c11 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
refactor: generate opendj.pkcs12 on-the-fly
9cd9868 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
fix: resolve required password files
1000e97 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
fix: pre-populate LDAP bindDN
03f07fd 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
fix: remove duplicated jansAccessTknSigAlg attribute
6b5c32b 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
chore: clarify local secrets and configmaps will be excluded if confi…
36ef0b4 
…guration.json is missing

Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
Merge branch 'main' into cn-pycloudlib-proxy
4e3bfee
@iromli
refactor: remove unused backward-compat
697339c 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli
refactor: bootstrap Vault RoleID and SecretID (if required)
f11ab23 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@iromli
Merge branch 'main' into cn-pycloudlib-proxy
c5b70dc 
Signed-off-by: Isman Firmansyah <iromli@users.noreply.github.com>
@iromli iromli marked this pull request as ready for review August 27, 2024 15:18
@iromli iromli requested a review from moabu as a code owner August 27, 2024 15:18
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@moabu moabu merged commit fc9f04f into main Aug 27, 2024
18 of 19 checks passed
@moabu moabu deleted the cn-pycloudlib-proxy branch August 27, 2024 17:06
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@iromli
feat(jans-pycloudlib): add support reading configuration from file (#…
493d587 
…9037)

* feat(jans-pycloudlib): add support reading configuration from file

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* tests(jans-pycloudlib): adjust testcases

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* feat(jans-pycloudlib): add CLI command to generate configuration spec

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: simplified configmaps and secrets adapters

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: handle missing params

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: add backward-compat for configuration and dump files

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* test(jans-pycloudlib): fix transform_data testcase

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: handle mounted password files

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: handle mounted files in OCI images

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: ensure couchbase password files are exist

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: generate opendj.pkcs12 on-the-fly

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: resolve required password files

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: pre-populate LDAP bindDN

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: remove duplicated jansAccessTknSigAlg attribute

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: clarify local secrets and configmaps will be excluded if configuration.json is missing

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: remove unused backward-compat

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: bootstrap Vault RoleID and SecretID (if required)

Signed-off-by: iromli <isman.firmansyah@gmail.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Signed-off-by: Isman Firmansyah <iromli@users.noreply.github.com>
Former-commit-id: fc9f04f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu moabu approved these changes

Assignees

@iromli iromli

Labels
comp-docker-jans-auth-server comp-docker-jans-certmanager comp-docker-jans-config-api comp-docker-jans-configurator comp-docker-jans-fido2 comp-docker-jans-link comp-docker-jans-persistence-loader comp-docker-jans-scim comp-jans-pycloudlib kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(jans-pycloudlib): add support reading configuration from file
3 participants
@iromli @moabu @mo-auto