diff --git a/docker-jans-auth-server/Dockerfile b/docker-jans-auth-server/Dockerfile index 7dc7d62f1be..fd946775ad0 100644 --- a/docker-jans-auth-server/Dockerfile +++ b/docker-jans-auth-server/Dockerfile @@ -51,7 +51,7 @@ RUN /opt/jython/bin/pip uninstall -y pip setuptools # =========== ENV CN_VERSION=1.0.21-SNAPSHOT -ENV CN_BUILD_DATE='2023-10-11 10:17' +ENV CN_BUILD_DATE='2023-11-14 10:53' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war # Install Jans Auth diff --git a/docker-jans-casa/Dockerfile b/docker-jans-casa/Dockerfile index 361e34977f8..456ca2218ae 100644 --- a/docker-jans-casa/Dockerfile +++ b/docker-jans-casa/Dockerfile @@ -55,7 +55,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-casa/plugins \ # jans-linux-setup sync # ===================== -ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642 +ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup ARG JANS_CASA_EXTRAS_DIR=jans-casa/extras diff --git a/docker-jans-config-api/Dockerfile b/docker-jans-config-api/Dockerfile index 460ede4ff5d..07466d4c6c0 100644 --- a/docker-jans-config-api/Dockerfile +++ b/docker-jans-config-api/Dockerfile @@ -94,7 +94,7 @@ RUN wget -q ${SCIM_PLUGIN_SOURCE_URL} -O ${JETTY_BASE}/jans-config-api/_plugins/ # jans-linux-setup sync # ===================== -ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642 +ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources diff --git a/docker-jans-fido2/Dockerfile b/docker-jans-fido2/Dockerfile index fea9d8fd85e..0af6ae8b893 100644 --- a/docker-jans-fido2/Dockerfile +++ b/docker-jans-fido2/Dockerfile @@ -59,7 +59,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-fido2/webapps \ # jans-linux-setup sync # ===================== -ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642 +ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup # note that as we're pulling from a monorepo (with multiple project in it) diff --git a/docker-jans-link/Dockerfile b/docker-jans-link/Dockerfile index f650654955a..f3ba10f120c 100644 --- a/docker-jans-link/Dockerfile +++ b/docker-jans-link/Dockerfile @@ -59,7 +59,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-link/webapps \ # jans-linux-setup sync # ===================== -ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642 +ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup # note that as we're pulling from a monorepo (with multiple project in it) diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile index 98655a57c45..cc92b4e4439 100644 --- a/docker-jans-persistence-loader/Dockerfile +++ b/docker-jans-persistence-loader/Dockerfile @@ -26,7 +26,7 @@ RUN python3 -m ensurepip \ # ===================== # janssenproject/jans SHA commit -ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642 +ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup ARG JANS_SCRIPT_CATALOG_DIR=docs/script-catalog ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources diff --git a/docker-jans-persistence-loader/scripts/hooks.py b/docker-jans-persistence-loader/scripts/hooks.py index cc1eaf2defd..1e7a5be524a 100644 --- a/docker-jans-persistence-loader/scripts/hooks.py +++ b/docker-jans-persistence-loader/scripts/hooks.py @@ -21,12 +21,10 @@ def transform_auth_dynamic_config_hook(conf, manager): should_update = False hostname = manager.config.get("hostname") - if "redirectUrisRegexEnabled" not in conf: - conf["redirectUrisRegexEnabled"] = True - should_update = True - - if "accessTokenSigningAlgValuesSupported" not in conf: - conf["accessTokenSigningAlgValuesSupported"] = [ + # add missing top-level keys + for missing_key, value in [ + ("redirectUrisRegexEnabled", True), + ("accessTokenSigningAlgValuesSupported", [ "none", "HS256", "HS384", @@ -40,17 +38,40 @@ def transform_auth_dynamic_config_hook(conf, manager): "ES512", "PS256", "PS384", - "PS512" - ] - should_update = True - - if "forceSignedRequestObject" not in conf: - conf["forceSignedRequestObject"] = False - should_update = True - - if "grantTypesAndResponseTypesAutofixEnabled" not in conf: - conf["grantTypesAndResponseTypesAutofixEnabled"] = False - should_update = True + "PS512", + ]), + ("forceSignedRequestObject", False), + ("grantTypesAndResponseTypesAutofixEnabled", False), + ("useHighestLevelScriptIfAcrScriptNotFound", False), + ("requestUriBlockList", ["localhost", "127.0.0.1"]), + ("ssaConfiguration", { + "ssaEndpoint": f"https://{hostname}/jans-auth/restv1/ssa", + "ssaSigningAlg": "RS256", + "ssaExpirationInDays": 30, + }), + ("blockWebviewAuthorizationEnabled", False), + ("subjectIdentifiersPerClientSupported", ["mail", "uid"]), + ("agamaConfiguration", { + "enabled": True, + "templatesPath": "/ftl", + "scriptsPath": "/scripts", + "serializerType": "KRYO", + "maxItemsLoggedInCollections": 9, + "pageMismatchErrorPage": "mismatch.ftl", + "interruptionErrorPage": "timeout.ftl", + "crashErrorPage": "crash.ftl", + "finishedFlowPage": "finished.ftl", + "bridgeScriptPage": "agama.xhtml", + "defaultResponseHeaders": { + "Cache-Control": "max-age=0, no-store", + }, + }), + ("authorizationChallengeEndpoint", f"https://{hostname}/jans-auth/restv1/authorization_challenge"), + ("archivedJwksUri", f"https://{hostname}/jans-auth/restv1/jwks/archived"), + ]: + if missing_key not in conf: + conf[missing_key] = value + should_update = True if "sessionIdEnabled" in conf: conf.pop("sessionIdEnabled") @@ -73,29 +94,10 @@ def transform_auth_dynamic_config_hook(conf, manager): ] should_update = True - if "useHighestLevelScriptIfAcrScriptNotFound" not in conf: - conf["useHighestLevelScriptIfAcrScriptNotFound"] = False - should_update = True - if "httpLoggingExcludePaths" not in conf: conf["httpLoggingExcludePaths"] = conf.pop("httpLoggingExludePaths", []) should_update = True - if "requestUriBlockList" not in conf: - conf["requestUriBlockList"] = [ - "localhost", - "127.0.0.1", - ] - should_update = True - - if "ssaConfiguration" not in conf: - conf["ssaConfiguration"] = { - "ssaEndpoint": f"https://{hostname}/jans-auth/restv1/ssa", - "ssaSigningAlg": "RS256", - "ssaExpirationInDays": 30 - } - should_update = True - if "ssaCustomAttributes" not in conf["ssaConfiguration"]: conf["ssaConfiguration"]["ssaCustomAttributes"] = [] should_update = True @@ -122,10 +124,6 @@ def transform_auth_dynamic_config_hook(conf, manager): conf[new_attr] = conf.pop(old_attr, None) should_update = True - if "blockWebviewAuthorizationEnabled" not in conf: - conf["blockWebviewAuthorizationEnabled"] = False - should_update = True - if "dateFormatterPatterns" not in conf: # remove old config conf.pop("userInfoConfiguration", None) @@ -149,28 +147,6 @@ def transform_auth_dynamic_config_hook(conf, manager): conf["personCustomObjectClassList"] = [] should_update = True - if "subjectIdentifiersPerClientSupported" not in conf: - conf["subjectIdentifiersPerClientSupported"] = ["mail", "uid"] - should_update = True - - if "agamaConfiguration" not in conf: - conf["agamaConfiguration"] = { - "enabled": False, - "templatesPath": "/ftl", - "scriptsPath": "/scripts", - "serializerType": "KRYO", - "maxItemsLoggedInCollections": 9, - "pageMismatchErrorPage": "mismatch.ftl", - "interruptionErrorPage": "timeout.ftl", - "crashErrorPage": "crash.ftl", - "finishedFlowPage": "finished.ftl", - "bridgeScriptPage": "agama.xhtml", - "defaultResponseHeaders": { - "Cache-Control": "max-age=0, no-store", - }, - } - should_update = True - if "interruptionTime" in conf["agamaConfiguration"]: conf["agamaConfiguration"].pop("interruptionTime", None) should_update = True @@ -204,11 +180,6 @@ def transform_auth_dynamic_config_hook(conf, manager): conf["agamaConfiguration"]["rootDir"] = "/opt/jans/jetty/jans-auth/agama" should_update = True - # add authorizationChallengeEndpoint if missing - if "authorizationChallengeEndpoint" not in conf: - conf["authorizationChallengeEndpoint"] = f"https://{hostname}/jans-auth/restv1/authorization_challenge" - should_update = True - # return the conf and flag to determine whether it needs update or not return conf, should_update diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index f174586bc1a..8cb5207c26a 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -888,9 +888,13 @@ def _transform_auth_errors_config(conf): def _transform_auth_static_config(conf): should_update = False - if "ssa" not in conf["baseDn"]: - conf["baseDn"]["ssa"] = "ou=ssa,o=jans" - should_update = True + for key, dn in [ + ("ssa", "ou=ssa,o=jans"), + ("archivedJwks", "ou=archived_jwks,o=jans"), + ]: + if key not in conf["baseDn"]: + conf["baseDn"][key] = dn + should_update = True return conf, should_update