fix(config-api): lock endpoint fixes and SAML IDP NPE

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

1. Issue#9305: fix(lock): lock code review changes
2. Issue#9366: fix(config-api): lock audit endpoint successful though scope missing
3. Issue#9367: fix(config-api): internal server error while creating SAML IDP

closes #9305 #9366 #9367

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request includes various improvements and bug fixes across multiple components of the Jans Config API and related services, focusing on enhancing the security, reliability, and functionality of the application, particularly in areas related to access control, auditing, and token management.

Expand for full summary

Summary:

The code changes in this pull request cover various improvements and bug fixes across multiple components of the Jans Config API and related services. The changes focus on enhancing the security, reliability, and functionality of the application, particularly in areas related to access control, auditing, and token management.

Key security-related changes include:

1. Improved Scope Management: The changes in the TokenEndpointService.java file introduce a more robust approach to managing scopes for access tokens, supporting both "allGroupScopes" and regular scopes. This helps to ensure that the application only requests the necessary permissions for each endpoint, reducing the risk of over-privileged access tokens.

2. Token Validity Checking: The addition of the isTokenValid() method helps to ensure that the application does not use expired access tokens, reducing the risk of unauthorized access.

3. Secure Token Retrieval: The code securely retrieves the client secret by decrypting it using the EncryptionService, ensuring that the client secret is not stored in plaintext.

4. Audit Data Handling: The changes in the AuditService.java and AuditRestWebServiceImpl.java files focus on improving the management and handling of access tokens for auditing purposes, including token expiration and renewal, and secure storage and retrieval of token details.

5. Input Validation and Access Control: While the code changes do not appear to introduce any obvious security vulnerabilities, it's important to ensure that the application has proper input validation and access control mechanisms in place to prevent potential injection attacks and unauthorized access to sensitive data.

Files Changed:

1. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/model/stat/TelemetryEntry.java: A typo fix to rename the jansFaiedlLoadCounter variable to jansFailedLoadCounter.

2. jans-config-api/plugins/docs/lock-plugin-swagger.yaml: Addition of the groupScopeEnabled property to the AppConfiguration schema, indicating support for group-based access control.

3. jans-config-api/plugins/kc-saml-plugin/src/main/java/io/jans/configapi/plugin/saml/service/IdpService.java: Improvement to handle cases where the samlConfigService.getIdpMetadataMandatoryAttributes() method returns null.

4. jans-config-api/server/src/main/java/io/jans/configapi/security/service/OpenIdAuthorizationService.java: Optimization of the scope checking logic and improved handling of edge cases.

5. jans-linux-setup/jans_setup/templates/jans-lock/dynamic-conf.json: Addition of the groupScopeEnabled configuration parameter and updates to the endpointGroups and endpointDetails sections.

6. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/service/AuditService.java: Improvements to the audit-related functionality, including date-based filtering, pagination, and sorting.

7. jans-config-api/docs/jans-config-api-swagger.yaml: Updates to the Attribute schema and addition of new configuration-related schemas.

8. jans-lock/lock-server/model/src/main/java/io/jans/lock/model/config/AppConfiguration.java: Addition of the groupScopeEnabled configuration property.

9. jans-linux-setup/jans_setup/schema/jans_schema.json: Renaming of the jansFaiedlLoadCounter attribute to jansFailedLoadCounter.

10. jans-lock/lock-server/service/src/main/java/io/jans/lock/service/TokenEndpointService.java: Improvements to the token management functionality, including scope management, token validity checking, and secure token retrieval.

11. jans-lock/lock-server/service/src/main/java/io/jans/lock/service/audit/AuditService.java: Changes related to the management and handling of access tokens for auditing purposes.

12. `jans-lock/lock-server/service/src/main/java/io/jans

Code Analysis

We ran 9 analyzers against 12 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud