Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(jans-auth-server): when arc is changed to agama flow fails with AcrChangedException #9374 #9458

Merged
merged 3 commits into from
Sep 11, 2024
Merged

fix(jans-auth-server): when arc is changed to agama flow fails with AcrChangedException #9374 #9458

merged 3 commits into from
Sep 11, 2024

Conversation

yuriyz
Copy link
Contributor

@yuriyz yuriyz commented Sep 11, 2024

Description

fix(jans-auth-server): when arc is changed to agama flow fails with AcrChangedException

Target issue

closes #9374

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@yuriyz
fix(jans-auth-server): when arc is changed to agama flow fails with A…
0425b61 
…crChangedException #9374

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz
removed debug line
c16210d 
Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 11, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the handling of Authentication Context Class Reference (ACR) values in the Janssen Project application, including ACR value validation, mapping, script availability checks, and ACR change detection, accompanied by a comprehensive set of unit tests.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the handling of Authentication Context Class Reference (ACR) values in the Janssen Project application. The changes span across several classes, including SessionIdService, ExternalAuthenticationService, AcrService, and their corresponding test classes.

The key security-related improvements include:

  1. ACR Value Validation: The AcrService class now validates the requested ACR values to ensure that the client is authorized to use them. This helps prevent unauthorized access and maintains the integrity of the authentication process.

  2. ACR Mapping: The application now supports mapping of ACR values to different values, which can be useful for maintaining compatibility or abstracting the underlying authentication mechanisms.

  3. ACR Script Availability: The code checks that the requested ACR values have corresponding custom script configurations available, ensuring that the required authentication mechanisms are in place.

  4. ACR Change Detection: The application now checks if the ACR values in the current authorization request match the ACR values associated with the user's session. If the ACR values have changed, it handles the situation by either forcing re-authentication or throwing an exception, which is an important security measure.

  5. Unit Tests: The changes are accompanied by a comprehensive set of unit tests that cover various scenarios related to ACR value handling, including validation, mapping, and script availability. This helps ensure the robustness and security of the implemented functionality.

Files Changed:

  1. jans-auth-server/server/src/main/java/io/jans/as/server/service/SessionIdService.java: The changes in this file focus on parsing the acrValues parameter and returning a list of valid ACR values that have a corresponding script name in the externalAuthenticationService.

  2. jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthenticationService.java: The changes in this file update the scriptName method to use the AcrService.getScriptName(acr) method and build a scriptAliasMap that maps ACR values to their corresponding script names.

  3. jans-auth-server/server/src/main/java/io/jans/as/server/service/AcrService.java: The changes in this file introduce new methods to handle ACR value validation, mapping, and script availability checks, which are crucial for maintaining the security of the authentication process.

  4. jans-auth-server/server/src/test/java/io/jans/as/server/service/AcrServiceTest.java: This file contains a comprehensive set of unit tests that validate the various ACR-related functionalities implemented in the AcrService class.

Overall, the changes in this pull request focus on improving the security and robustness of the ACR value handling in the Janssen Project application, which is an important aspect of the authentication process.

Code Analysis

We ran 9 analyzers against 4 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-jans-auth-server Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality labels Sep 11, 2024
@yuriyz yuriyz enabled auto-merge (squash) September 11, 2024 08:37
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuriyz yuriyz merged commit 664b866 into main Sep 11, 2024
18 checks passed
@yuriyz yuriyz deleted the jans-auth-server-9374 branch September 11, 2024 10:36
yuriyz added a commit that referenced this pull request Nov 7, 2024
@yuriyz
fix(jans-auth-server): when arc is changed to agama flow fails with A…
1a5406f 
…crChangedException #9374 (#9458)

* fix(jans-auth-server): when arc is changed to agama flow fails with AcrChangedException #9374

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

* removed debug line

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

---------

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Former-commit-id: 664b866
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem yurem approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

Assignees
No one assigned
Labels
comp-jans-auth-server Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(jans-auth-server): when arc is changed to agama flow fails with AcrChangedException
4 participants
@yuriyz @yurem @yuriyzz @mo-auto