Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(jans-linux-setup): ruamel.yaml fixes #9462

Merged
merged 3 commits into from
Sep 11, 2024
Merged

fix(jans-linux-setup): ruamel.yaml fixes #9462

merged 3 commits into from
Sep 11, 2024

Conversation

devrimyatar
Copy link
Contributor

closes #9445

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@devrimyatar
fix(jans-linux-setup): ruamel.yaml fixes
7956f2e 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@devrimyatar devrimyatar added kind-bug Issue or PR is a bug in existing functionality comp-jans-cli-tui Component affected by issue or PR comp-jans-linux-setup Component affected by issue or PR labels Sep 11, 2024
@devrimyatar devrimyatar marked this pull request as draft September 11, 2024 12:21
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 11, 2024
edited
Loading

DryRun Security Summary

This pull request covers various security-focused updates to the Jans platform, including improvements to the Jans Lock Server, Jans SCIM Server, Jans Config API, and other utility functions, with a focus on enhancing installation, configuration, and security aspects of these components.

Expand for full summary

Summary:

The code changes in this pull request cover various components of the Jans platform, including the Jans Lock Server, Jans SCIM Server, Jans Config API, and other utility functions. The changes focus on improving the installation, configuration, and security aspects of these components.

Key security-related updates include:

  • Replacing the ruamel.yaml library with more secure YAML parsing and handling functions
  • Improving the generation and management of LDAP configurations, such as clients, scopes, and access controls
  • Addressing potential security issues like hardcoded credentials and input validation
  • Enhancing logging, monitoring, and error handling capabilities

While the changes generally appear to be security-focused, it's important to thoroughly review the specific implementations to ensure that they do not introduce any new vulnerabilities or unintended consequences. The application security engineer should pay close attention to areas like secure storage of credentials, input validation, access control, and ongoing monitoring and auditing capabilities.

Files Changed:

  1. jans-linux-setup/jans_setup/setup_app/installers/jans_lock.py:

    • Removes dependency on ruamel.yaml and uses base.read_yaml_file() for Swagger YAML parsing
    • Updates Jans Lock client creation and integration with Jans Auth
    • Includes installation and configuration of the Open Policy Agent (OPA) for policy-based access control

  2. jans-linux-setup/jans_setup/setup_app/installers/scim.py:

    • Replaces ruamel.yaml.load with base.read_yaml_file() for YAML parsing
    • Generates LDAP configuration files for SCIM server, including scopes, clients, and other settings
    • Creates a SCIM client with a randomly generated client secret
    • Manages SCIM scopes to enforce appropriate access controls

  3. jans-linux-setup/jans_cli-tui/cli_tui/cli/config_cli.py:

    • Replaces ruamel.yaml.load with yaml_obj.load for improved YAML handling
    • Removes the RoundTripLoader feature, potentially to simplify the YAML parsing process

  4. jans-linux-setup/jans_setup/setup_app/installers/config_api.py:

    • Removes the ruamel.yaml library import
    • Handles installation and configuration of the Jans Config API service, including file extraction, LDIF generation, and dynamic configuration rendering

  5. jans-linux-setup/jans_setup/setup_app/utils/setup_utils.py:

    • Replaces ruamel.yaml with ruamel.yaml.YAML for YAML handling
    • Uses base.read_yaml_file and yaml_obj.dump for improved YAML file reading and writing

  6. jans-linux-setup/jans_setup/setup_app/utils/base.py:

    • Disables SSL certificate verification, which is not recommended for production environments
    • Includes functions for checking system resources, logging, and file/directory handling

  7. jans-linux-setup/jans_setup/templates/jans-lock/dynamic-conf.json:

    • Changes the token URL from %(tokenEndpoint)s to %(jans_auth_token_endpoint)s
    • Defines various endpoint groups and their associated configurations
    • Includes OPA integration configuration and sensitive information like client ID and password

Overall, the changes in this pull request focus on improving the security and reliability of the Jans platform components, with a particular emphasis on secure configuration management, access control, and integration with security-critical components like the Jans Auth and OPA. The application security engineer should continue to review these changes and ensure that they are properly implemented and tested to maintain the application's security posture.

Code Analysis

We ran 9 analyzers against 7 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@devrimyatar devrimyatar marked this pull request as ready for review September 11, 2024 12:43
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuriyz yuriyz enabled auto-merge (squash) September 11, 2024 13:18
@yuriyz yuriyz merged commit 39ba40a into main Sep 11, 2024
13 checks passed
@yuriyz yuriyz deleted the jans-linux-setup-ruamel-yaml-9445 branch September 11, 2024 13:18
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@devrimyatar
fix(jans-linux-setup): ruamel.yaml fixes (#9462)
1620f3c 
* fix(jans-linux-setup): ruamel.yaml fixes

Signed-off-by: Mustafa Baser <mbaser@mail.com>

* fix(jans-cli-tui): newest ruamel.yaml compatibility

Signed-off-by: Mustafa Baser <mbaser@mail.com>

---------

Signed-off-by: Mustafa Baser <mbaser@mail.com>
Former-commit-id: 39ba40a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

@yurem yurem Awaiting requested review from yurem yurem is a code owner

Assignees
No one assigned
Labels
comp-jans-cli-tui Component affected by issue or PR comp-jans-linux-setup Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(jans-linux-setup): enable using newest ruamel-yaml library
3 participants
@devrimyatar @yuriyz @yuriyzz