Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(cloud-native): sync assets into OCI images #9406

Merged
merged 3 commits into from
Sep 9, 2024
Merged

chore(cloud-native): sync assets into OCI images #9406

merged 3 commits into from
Sep 9, 2024

Conversation

iromli
Copy link
Contributor

@iromli iromli commented Sep 6, 2024

Prepare

Description

Target issue

closes #9405

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@iromli
chore(cloud-native): sync assets into OCI images
e9a2db9 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 6, 2024
edited
Loading

DryRun Security Summary

The pull request covers a range of updates and improvements across several components of the Janssen project, with a focus on adding support for the Google Spanner persistence backend, updating dependencies, configuration, and build versions, while emphasizing security best practices such as secure handling of credentials, proper management of permissions, comprehensive logging, and secure asset synchronization and dependency management.

Expand for full summary

Summary:

The code changes in this pull request cover a range of updates and improvements across several components of the Janssen project, including the Auth Server, Configurator, FIDO2 Server, Keycloak Link, and SCIM Server. The primary focus of these changes is to add support for the Google Spanner persistence backend, as well as to update dependencies, configuration, and build versions.

From an application security perspective, the changes generally demonstrate a strong emphasis on security best practices, such as:

  1. Secure handling of credentials and sensitive configuration data, including Google Cloud credentials, database passwords, and SSL/TLS certificates.
  2. Proper management of permissions and ownership of files and directories, including the use of non-root users.
  3. Comprehensive logging configurations to support monitoring and security incident investigation.
  4. Secure asset synchronization and dependency management to mitigate potential vulnerabilities.

However, it is important to review the specific implementation details and configurations to ensure that no new security vulnerabilities are introduced, especially in areas like input validation, access control, and the integration with external services (e.g., Google Spanner, Keycloak).

Files Changed:

  1. docker-jans-auth-server/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  2. docker-jans-auth-server/Dockerfile: Updates the Janssen source version and various dependency versions.
  3. docker-jans-all-in-one/Dockerfile: Updates the Janssen source version and uses a secure base image.
  4. docker-jans-casa/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  5. docker-jans-casa/Dockerfile: Updates the Janssen source version and build date.
  6. docker-jans-configurator/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  7. docker-jans-configurator/Dockerfile: Updates the Janssen source version and build date.
  8. docker-jans-config-api/Dockerfile: Updates the Janssen source version and build date.
  9. docker-jans-config-api/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  10. docker-jans-fido2/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  11. docker-jans-fido2/Dockerfile: Updates the Janssen source version and build date.
  12. docker-jans-kc-scheduler/Dockerfile: Updates the Janssen source version and build date.
  13. docker-jans-keycloak-link/Dockerfile: Updates the Janssen source version and build date.
  14. docker-jans-keycloak-link/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  15. docker-jans-link/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  16. docker-jans-link/Dockerfile: Updates the Janssen source version and build date.
  17. docker-jans-monolith/Dockerfile: Updates the Janssen source version.
  18. docker-jans-persistence-loader/Dockerfile: Updates the Janssen source version.
  19. docker-jans-persistence-loader/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  20. docker-jans-saml/Dockerfile: Updates the Keycloak and Janssen SAML SPI versions, as well as the Janssen source version.
  21. docker-jans-saml/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.
  22. docker-jans-scim/Dockerfile: Updates the Janssen SCIM server version and build date, as well as the Janssen source version.
  23. docker-jans-scim/scripts/bootstrap.py: Adds support for synchronizing Google Cloud credentials for the Spanner persistence backend.

Code Analysis

We ran 9 analyzers against 26 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 14 findings
Authn/Authz Analyzer 5 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@iromli
feat(cloud-native): sync google credentials (if applicable)
1b56cc1 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli iromli marked this pull request as ready for review September 6, 2024 18:17
@iromli iromli requested a review from moabu as a code owner September 6, 2024 18:17
@moabu moabu merged commit c832069 into main Sep 9, 2024
10 checks passed
@moabu moabu deleted the cn-sync-assets branch September 9, 2024 06:53
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@iromli @moabu
chore(cloud-native): sync assets into OCI images (#9406)
7126d3a 
* chore(cloud-native): sync assets into OCI images

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* feat(cloud-native): sync google credentials (if applicable)

Signed-off-by: iromli <isman.firmansyah@gmail.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Former-commit-id: c832069
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu moabu approved these changes

Assignees
No one assigned
Labels
comp-docker-jans-all-in-one Touching folder /docker-jans-all-in-one comp-docker-jans-auth-server comp-docker-jans-certmanager comp-docker-jans-config-api comp-docker-jans-configurator comp-docker-jans-fido2 comp-docker-jans-link comp-docker-jans-persistence-loader comp-docker-jans-scim kind-dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

chore(cloud-native): sync assets into OCI images
3 participants
@iromli @moabu @mo-auto