Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(config-api): agama download endpoint #10463

Merged
merged 34 commits into from
Dec 19, 2024
Merged

feat(config-api): agama download endpoint #10463

merged 34 commits into from
Dec 19, 2024

Conversation

pujavs
Copy link
Contributor

@pujavs pujavs commented Dec 19, 2024

Prepare


Description

Issue#10454: Implemented an endpoint that returns agama project

Target issue

closes #10454

Implementation Details


Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

erge branch 'main' of https://github.com/JanssenProject/jans into jans-config-dev
@pujavs pujavs requested review from yuriyz and yurem as code owners December 19, 2024 16:34
@pujavs pujavs requested a review from devrimyatar December 19, 2024 16:35
Copy link

DryRun Security Summary

The pull request enhances the Jans Config API's functionality in user management, Agama project management, and API documentation, introducing new endpoints and schema updates while requiring careful security review to prevent potential vulnerabilities.

Expand for full summary

Summary:

The changes in this pull request appear to be focused on enhancing the functionality of the Jans Config API, particularly in the areas of user management, Agama project management, and API documentation. While the changes do not immediately introduce any obvious security vulnerabilities, there are several areas that require careful consideration from an application security perspective.

The key changes include updates to the CustomUser object schema, the addition of a new endpoint for downloading Agama projects, modifications to the Scope and Client schemas, and changes to the CustomScript schema. Additionally, new endpoints related to Agama project management, such as deployment, configuration, and deletion, have been added.

From a security standpoint, it is crucial to ensure that the new functionality is properly secured and that all input is thoroughly validated to prevent potential security issues, such as injection attacks, unauthorized access, and arbitrary code execution. Additionally, the handling of user passwords and the logging of sensitive information should be reviewed to maintain the overall security posture of the application.

Files Changed:

  1. jans-config-api/plugins/docs/user-mgt-plugin-swagger.yaml:

    • The changes update the schema for the CustomUser object, moving the value property to be nested under CustomObjectAttribute.
    • The displayValue property has been added to the CustomObjectAttribute schema.
    • These changes appear to be reasonable and do not introduce any obvious security concerns, but the handling of user passwords should be reviewed.
  2. jans-config-api/server/src/main/java/io/jans/configapi/service/auth/AgamaRepoService.java:

    • A new method getAgamaProject has been added to fetch an Agama project file from a given download link.
    • The method includes input validation, URL decoding, and Base64 encoding of the fetched data, which helps mitigate potential security issues.
    • The logging of the download link should be reviewed to ensure that sensitive information is not being exposed.
  3. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AgamaRepoResource.java:

    • A new GET endpoint /download has been added to allow users to download the Agama project.
    • The endpoint is protected by OAuth2 security and requires specific scopes to access it.
    • The input validation, authorization, response format, and error handling of this endpoint should be thoroughly reviewed to ensure that it is secure and does not introduce any vulnerabilities.
  4. jans-config-api/docs/jans-config-api-swagger.yaml:

    • The Swagger documentation has been updated to include the new Agama project management functionality, such as the download endpoint and new schemas.
    • The security implications of these changes should be carefully considered, as they could introduce new attack vectors if not properly implemented and secured.

Overall, the changes in this pull request appear to be focused on enhancing the functionality of the Jans Config API, but it is crucial to ensure that the new features are implemented with a strong emphasis on security to maintain the overall security posture of the application.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-docs Touching folder /docs comp-jans-config-api Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Dec 19, 2024
Copy link

Quality Gate Failed Quality Gate failed for 'jans-config-api-parent'

Failed conditions
2 New Vulnerabilities (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@yuriyz yuriyz enabled auto-merge (squash) December 19, 2024 17:35
@yuriyz yuriyz merged commit 5bec96c into main Dec 19, 2024
40 of 42 checks passed
@yuriyz yuriyz deleted the jans-config-dev branch December 19, 2024 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp-docs Touching folder /docs comp-jans-config-api Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
4 participants