Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cloud-native): toggle rendering truststore based on env var #9311

Merged
merged 2 commits into from
Sep 3, 2024
Merged

fix(cloud-native): toggle rendering truststore based on env var #9311

merged 2 commits into from
Sep 3, 2024

Conversation

iromli
Copy link
Contributor

@iromli iromli commented Aug 29, 2024
edited
Loading

Prepare

Description

Target issue

closes #9309

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@iromli
fix(cloud-native): toggle rendering truststore based on env var
e77c89b 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli iromli requested a review from moabu as a code owner August 29, 2024 19:40
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 29, 2024
edited
Loading

DryRun Security Summary

This pull request focuses on improving the security and configurability of various Jans applications, including the Jans Auth Server, Jans FIDO2, Jans Config API, Jans Casa, Jans SAML, Jans Keycloak Link, Jans Link, and Jans SCIM, by addressing aspects such as conditional truststore synchronization, secure password management, SSL/TLS certificate handling, logging configuration, and LDIF file import.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and configurability of various Jans applications, including the Jans Auth Server, Jans FIDO2, Jans Config API, Jans Casa, Jans SAML, Jans Keycloak Link, Jans Link, and Jans SCIM. The key security-related changes include:

  1. Conditional Truststore Synchronization: The code now checks environment variables to determine whether to synchronize the LDAP and Couchbase truststores, ensuring that these operations are only performed when necessary based on the application's SSL/TLS configuration. This helps to reduce the attack surface and improve the overall security posture.

  2. Secure Password Management: The code handles the synchronization of passwords for various persistence backends, such as LDAP, Couchbase, and SQL, which is crucial for maintaining secure access to the application's data.

  3. SSL/TLS Certificate Handling: The code ensures that the applications are properly configured with valid SSL/TLS certificates, either by retrieving them from a secrets store or pulling them directly from the configured hostname. This helps to protect the confidentiality and integrity of data in transit.

  4. Logging Configuration: The code allows for the customization of logging settings, including log levels and log targets, which can be useful for security monitoring and incident investigation.

  5. LDIF File Import: The code includes functionality to import LDIF files, which may contain sensitive configuration data. Ensuring the integrity and security of these files is important to prevent unauthorized access or modification.

Overall, the code changes appear to be focused on improving the security and reliability of the Jans applications by addressing various aspects of secure configuration, credential management, and data protection. Ongoing review and monitoring of the applications' security posture are recommended to ensure that they remain secure and compliant with relevant security standards and best practices.

Files Changed:

  1. docker-jans-auth-server/scripts/bootstrap.py: The changes introduce conditional synchronization of LDAP and Couchbase truststores based on environment variables, improving the security and flexibility of the application's configuration.
  2. docker-jans-fido2/scripts/bootstrap.py: The changes include similar truststore synchronization functionality, as well as improvements to logging configuration and LDIF file import processes.
  3. docker-jans-config-api/scripts/bootstrap.py: The changes focus on the secure configuration of LDAP, Couchbase, and SQL persistence, along with logging and LDIF file import.
  4. docker-jans-casa/scripts/bootstrap.py: The changes handle truststore synchronization, SQL password management, SSL certificate handling, and logging configuration for the Jans Casa application.
  5. docker-jans-saml/scripts/bootstrap.py: The changes address the secure configuration of persistence backends, Keycloak integration, and LDIF file import for the Jans SAML application.
  6. docker-jans-keycloak-link/scripts/bootstrap.py: The changes include truststore synchronization, password management, and SSL certificate handling for the Jans Keycloak Link application.
  7. docker-jans-link/scripts/bootstrap.py: The changes focus on the secure configuration of persistence backends, SSL/TLS settings, and LDIF file import for the Jans Link application.
  8. docker-jans-scim/scripts/bootstrap.py: The changes address truststore synchronization, password management, SSL certificate handling, logging configuration, and SCIM client setup for the Jans SCIM application.

Code Analysis

We ran 9 analyzers against 8 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 8 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@moabu moabu merged commit 7360cdf into main Sep 3, 2024
10 of 11 checks passed
@moabu moabu deleted the cn-mtls-config branch September 3, 2024 08:36
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@iromli @moabu
fix(cloud-native): toggle rendering truststore based on env var (#9311)
5363866 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Former-commit-id: 7360cdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu moabu approved these changes

Assignees
No one assigned
Labels
comp-docker-jans-auth-server comp-docker-jans-config-api comp-docker-jans-fido2 comp-docker-jans-link comp-docker-jans-scim kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(cloud-native): toggle rendering truststore based on env var
3 participants
@iromli @moabu @mo-auto