fix(docker-jans-persistence-loader): populate jansDbAuth attribute only if using ldap persistence

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9321

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes are related to the configuration and upgrade scripts for the Jans application, a web-based identity and access management (IAM) solution, involving the removal of LDAP-based authentication configuration, updates to script entries, transformations of authentication dynamic and static configurations, and various other updates to the application's configuration, with the most notable changes being the disabling of the DUO script entry, the transformation of the jansConfDyn configuration, and the setting of the jansDbAuth configuration for LDAP persistence.

Expand for full summary

Summary:

The provided code changes are related to the configuration and upgrade scripts for the Jans application, a web-based identity and access management (IAM) solution. The main changes include the removal of LDAP-based authentication configuration, updates to script entries, transformations of authentication dynamic and static configurations, and various other updates to the application's configuration.

From an application security perspective, the most notable changes involve the disabling of the DUO script entry, the transformation of the jansConfDyn configuration (which could affect the authentication and authorization flow), and the setting of the jansDbAuth configuration for LDAP persistence (which could affect the database authentication and authorization mechanisms). These changes should be carefully reviewed and tested to ensure they do not introduce any vulnerabilities or break existing functionality.

Overall, the code changes appear to be part of a comprehensive upgrade process for the Jans application, aimed at ensuring the application is up-to-date and configured correctly across various persistence backends (LDAP, SQL, Couchbase, Spanner). As an application security engineer, it's important to thoroughly review these changes and their potential impact on the application's security posture.

Files Changed:

1. docker-jans-persistence-loader/templates/configuration.ldif:

   • Removal of the jansDbAuth configuration block, which previously contained settings for an LDAP-based authentication mechanism.
   • The remaining configuration blocks, such as jansCacheConf, jansMessageConf, jansDocStoreConf, and jansSmtpConf, remain unchanged.

2. docker-jans-persistence-loader/scripts/upgrade.py:

   • Updates to script entries, including toggling the SCIM script, deleting the DUO script entry, and filtering out unwanted properties from the Agama script entry.
   • Transformations of the jansConfDyn configuration, which could affect the authentication and authorization flow.
   • Updates to various configuration entries, such as attributes, base entries, SCIM scopes, scopes, people, clients, admin UI, auth errors, auth static, TUI client, and overall application configuration.
   • The most security-relevant changes involve the disabling of the DUO script entry and the setting of the jansDbAuth configuration for LDAP persistence.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.