feat(jans-core): document store manager

[yurem]

closes #9179

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the document store functionality in the Janssen Project application, with changes spanning multiple classes and covering areas such as document management, configuration handling, and event-driven architecture, while also highlighting the need for careful review and consideration of security aspects like input validation, access control, error handling, secure communication, and dependency management.

Expand for full summary

Summary:

The code changes in this pull request focus on various improvements and refactoring of the document store functionality in the Janssen Project application. The changes span multiple classes and cover areas such as document management, configuration handling, and event-driven architecture.

From an application security perspective, the changes do not appear to introduce any obvious security vulnerabilities. However, there are a few areas that require careful review and consideration:

1. Input Validation: Ensure that all user input, such as file paths, document metadata, and search parameters, are properly validated and sanitized to prevent injection attacks (e.g., SQL injection, path traversal).
2. Access Control: Verify that the document store functionality is properly secured and only accessible to authorized users or components within the application.
3. Error Handling and Logging: Implement robust error handling and logging mechanisms to prevent the leakage of sensitive information and enable effective incident detection and response.
4. Secure Communication: If the document store interacts with other components or services, ensure that the communication channels are secured (e.g., using HTTPS, message encryption) to prevent eavesdropping or man-in-the-middle attacks.
5. Dependency Management: Review the dependencies used in the document store implementation and ensure they are up-to-date and free from known vulnerabilities.

Overall, the changes seem to be focused on improving the functionality and maintainability of the document store, but it's essential to review the implementation details and the broader context of the application to ensure the overall security posture is maintained.

Files Changed:

1. AssetForm.java: The changes involve refactoring the import statements and removing an unused import, which does not introduce any security concerns.
2. AppInitializer.java: The changes add the initialization of the DocumentStoreManager and set up a scheduled timer event to periodically check for updates to the document store. This functionality should be reviewed to ensure proper security controls are in place.
3. AssetResource.java: The changes update the import statement for the Document class, and the code includes various validation checks and error handling mechanisms, which are positive from a security perspective.
4. AssetService.java: The changes focus on improving the handling and management of assets, including revision tracking, file handling, and validation checks, which help maintain the security of the asset management functionality.
5. pom.xml: The changes add a new dependency to the jans-core-cdi artifact, which is not a security concern, but the overall dependency management should be reviewed.
6. DocumentStoreConfiguration.java: The changes reorganize the import statements, which does not introduce any security issues.
7. LocalDocumentStoreConfiguration.java: The changes reorganize the import statements, which does not introduce any security issues.
8. WebDavDocumentStoreConfiguration.java: The changes reorganize the import statements, and the class contains sensitive information that should be properly protected.
9. JcaDocumentStoreConfiguration.java: The changes reorganize the import statements, and the class contains sensitive information that should be properly protected.
10. StandaloneDocumentStoreProviderFactory.java: The changes add imports and modify the factory initialization and provider selection logic, which should be reviewed to ensure secure implementation.
11. Document.java: The changes involve refactoring the class name and field names, which does not introduce any security concerns.
12. DocumentStoreManager.java: The changes focus on the initialization and management of the document store, and the implementation should be reviewed for security best practices.
13. DBDocumentStoreProvider.java: The changes involve refactoring and the addition of a new method, which should be reviewed for potential security issues, such as input validation and access control.
14. DocumentStoreProviderFactory.java: The changes reorganize the code, which does not introduce any security concerns.
15. DocumentStore.java: The changes add a new method, which should be reviewed for potential security implications, such as input validation and access control.
16. WebDavDocumentStoreProvider.java: The changes involve refactoring and the addition of a new method, which should be reviewed for potential security issues.
17. LocalDocumentStoreProvider.java: The changes involve refactoring and the addition of a new method, which should be reviewed for potential security issues.
18. DBDocumentService.java: The changes introduce new constants and CRUD operations, which should be reviewed for security best practices, such as input validation and access control.
19. `JcaDocumentStoreProvider

Code Analysis

We ran 9 analyzers against 23 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding
Authn/Authz Analyzer	8 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate failed for 'jans-core'

Failed conditions
2 New Bugs (required ≤ 0)
25 New Code Smells (required ≤ 8)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

[sonarqubecloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud