Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-lock): add endpoints to allow send bulk audit data #9488

Merged
merged 6 commits into from
Sep 13, 2024
Merged

feat(jans-lock): add endpoints to allow send bulk audit data #9488

merged 6 commits into from
Sep 13, 2024

Conversation

yurem
Copy link
Contributor

@yurem yurem commented Sep 13, 2024

closes #9487

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@yurem
feat(jans-config-api): allow bulk audit data upload
f025a0b 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@yurem
feat(jans-config-api): add lock bulk audit endpoints
ab21648 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@yurem
feat(jans-lock): use JsonNode instead of JSONObject
e14c34d 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 13, 2024
edited
Loading

DryRun Security Summary

The pull request covers a wide range of updates and improvements to the Jans Config API, primarily focused on enhancing the security, performance, and functionality of the audit-related features, including improved token handling, robust JSON handling, bulk processing enhancements, and centralized constant management.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates and improvements to the Jans Config API and its associated components. The changes span across various files and modules, primarily focused on enhancing the security, performance, and functionality of the audit-related features.

Key security-focused changes include:

  1. Improved Token Handling: The code now properly manages access tokens, including checking their validity and expiration dates, to ensure that expired tokens are not reused.
  2. Robust JSON Handling: The code has been updated to use the more secure and flexible JsonNode class for handling JSON data, and it includes proper exception handling to mitigate potential security issues.
  3. Bulk Processing Enhancements: The addition of new "bulk" processing endpoints for health, log, and telemetry data could improve efficiency, but it also requires careful consideration of potential resource exhaustion risks and appropriate input validation and rate-limiting mechanisms.
  4. Centralized Constant Management: The updates to the Constants class demonstrate a consistent approach to managing API-related constants, which can help maintain security and consistency throughout the application.

Overall, the changes in this pull request appear to be focused on improving the security, reliability, and functionality of the Jans Config API's audit-related features. As an application security engineer, I would recommend thoroughly reviewing the implementation details and the broader context of the application to ensure that the changes do not introduce any unintended security vulnerabilities.

Files Changed:

  1. jans-config-api/common/src/main/java/io/jans/configapi/util/ApiConstants.java: Removal of the EVENT_RANGE_PATH constant, which does not appear to introduce any significant security concerns.
  2. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/model/stat/HealthEntry.java: Renaming of the nodeId field to nodeName, which is a reasonable change that does not raise any immediate security issues.
  3. jans-config-api/plugins/docs/lock-plugin-swagger.yaml: Updates to the Swagger documentation for the Jans Config API's Lock plugin, including changes to audit-related API endpoints and data models.
  4. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/model/stat/TelemetryEntry.java: Renaming of the nodeId field to nodeName and changing the lastPolicyLoadSize field from Integer to int.
  5. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/model/stat/LogEntry.java: Renaming of the nodeId field to nodeName and changing the HashMap type for contextInformation to Map.
  6. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/AuditResource.java: Addition of new endpoints for bulk saving of health, log, and telemetry data, with appropriate error handling and input validation.
  7. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/util/Constants.java: Addition of new constants, SEARCH and BULK, likely related to the new search and bulk functionality.
  8. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/service/AuditService.java: Improvements to the handling of timestamps and unique identifiers for audit entries, as well as the implementation of pagination and size limiting.
  9. jans-config-api/docs/jans-config-api-swagger.yaml: Update to the JansAttribute schema, changing the whitePagesCanView property to adminCanView and adminCanEdit.
  10. jans-linux-setup/jans_setup/schema/jans_schema.json: Addition of a new attribute called "jansNodeName" to the Jans schema.
  11. jans-lock/lock-server/service/src/main/java/io/jans/lock/service/DataMapperService.java: Improvements to the JSON handling and CBOR support in the `Data

Code Analysis

We ran 9 analyzers against 16 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 5 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

yuriyz
yuriyz previously approved these changes Sep 13, 2024
View reviewed changes
@yurem
feat(jans-config-api): merge from main
0a48ae1 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@yurem
Merge branch 'main' into audit_fields_update
f8e83ce 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@yurem
feat(jans-config-api): merge from main
f8d5b57 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@yurem yurem enabled auto-merge (squash) September 13, 2024 12:20
@yurem yurem requested a review from yuriyz September 13, 2024 12:20
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
11.1% Duplication on New Code

See analysis details on SonarCloud

@yurem yurem merged commit 9611711 into main Sep 13, 2024
12 checks passed
@yurem yurem deleted the audit_fields_update branch September 13, 2024 12:31
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@yurem
feat(jans-lock): add endpoints to allow send bulk audit data (#9488)
ed89a75 
* feat(jans-config-api): allow bulk audit data upload

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* feat(jans-config-api): add lock bulk audit endpoints

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* feat(jans-lock): use JsonNode instead of JSONObject

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* feat(jans-config-api): merge from main

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* feat(jans-config-api): merge from main

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

---------

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Former-commit-id: 9611711
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@yuremm yuremm yuremm approved these changes

@devrimyatar devrimyatar Awaiting requested review from devrimyatar devrimyatar is a code owner

@yuriyzz yuriyzz Awaiting requested review from yuriyzz yuriyzz is a code owner

@pujavs pujavs Awaiting requested review from pujavs pujavs is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(jans-lock): add endpoints to allow send bulk audit data
3 participants
@yurem @yuriyz @yuremm