diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json index 64ae9111054..5f7215d8792 100644 --- a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json +++ b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json @@ -26,6 +26,12 @@ "backchannelDeviceRegistrationEndpoint":"https://%(hostname)s/jans-auth/restv1/bc-deviceRegistration", "deviceAuthzEndpoint":"https://%(hostname)s/jans-auth/restv1/device_authorization", "openidSubAttribute":"inum", + "discoveryDenyKeys": [ + "id_generation_endpoint", + "auth_level_mapping", + "scope_to_claims_mapping", + "op_policy_uri" + ], "publicSubjectIdentifierPerClientEnabled": true, "subjectIdentifiersPerClientSupported": [ "mail", diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json index 677be9d7d6e..fcdf718b49b 100644 --- a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json +++ b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json @@ -26,6 +26,12 @@ "backchannelDeviceRegistrationEndpoint":"https://%(hostname)s/jans-auth/restv1/bc-deviceRegistration", "deviceAuthzEndpoint":"https://%(hostname)s/jans-auth/restv1/device_authorization", "openidSubAttribute":"inum", + "discoveryDenyKeys": [ + "id_generation_endpoint", + "auth_level_mapping", + "scope_to_claims_mapping", + "op_policy_uri" + ], "discoveryAllowedKeys": [ "issuer", "authorization_endpoint", diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java index 78b1e8e84c8..bcc16df5930 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java @@ -309,6 +309,7 @@ public class AppConfiguration implements Configuration { private int discoveryCacheLifetimeInMinutes = 60; private List discoveryAllowedKeys; + private List discoveryDenyKeys; private List enabledComponents; @@ -354,6 +355,15 @@ public void setAllowIdTokenWithoutImplicitGrantType(Boolean allowIdTokenWithoutI this.allowIdTokenWithoutImplicitGrantType = allowIdTokenWithoutImplicitGrantType; } + public List getDiscoveryDenyKeys() { + if (discoveryDenyKeys == null) discoveryDenyKeys = new ArrayList<>(); + return discoveryDenyKeys; + } + + public void setDiscoveryDenyKeys(List discoveryDenyKeys) { + this.discoveryDenyKeys = discoveryDenyKeys; + } + public List getDiscoveryAllowedKeys() { if (discoveryAllowedKeys == null) discoveryAllowedKeys = new ArrayList<>(); return discoveryAllowedKeys; diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/servlet/OpenIdConfiguration.java b/jans-auth-server/server/src/main/java/io/jans/as/server/servlet/OpenIdConfiguration.java index 64b01c8fd60..55b3a652778 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/servlet/OpenIdConfiguration.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/servlet/OpenIdConfiguration.java @@ -111,34 +111,34 @@ @WebServlet(urlPatterns = "/.well-known/openid-configuration", loadOnStartup = 10) public class OpenIdConfiguration extends HttpServlet { - private static final long serialVersionUID = -8224898157373678903L; + private static final long serialVersionUID = -8224898157373678904L; @Inject - private Logger log; + private transient Logger log; @Inject - private AppConfiguration appConfiguration; + private transient AppConfiguration appConfiguration; @Inject - private AttributeService attributeService; + private transient AttributeService attributeService; @Inject - private ScopeService scopeService; + private transient ScopeService scopeService; @Inject - private ExternalAuthenticationService externalAuthenticationService; + private transient ExternalAuthenticationService externalAuthenticationService; @Inject - private ExternalDynamicScopeService externalDynamicScopeService; + private transient ExternalDynamicScopeService externalDynamicScopeService; @Inject - private ExternalDiscoveryService externalDiscoveryService; + private transient ExternalDiscoveryService externalDiscoveryService; @Inject - private CIBAConfigurationService cibaConfigurationService; + private transient CIBAConfigurationService cibaConfigurationService; @Inject - private LocalResponseCache localResponseCache; + private transient LocalResponseCache localResponseCache; /** * Processes requests for both HTTP GET and POST @@ -148,7 +148,7 @@ public class OpenIdConfiguration extends HttpServlet { * @param httpResponse servlet response * @throws IOException */ - @SuppressWarnings("deprecation") + @SuppressWarnings({"deprecation", "java:S3776"}) protected void processRequest(HttpServletRequest servletRequest, HttpServletResponse httpResponse) throws IOException { if (!(externalAuthenticationService.isLoaded() && externalDynamicScopeService.isLoaded())) { httpResponse.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE); @@ -429,7 +429,7 @@ protected void processRequest(HttpServletRequest servletRequest, HttpServletResp // CIBA Configuration cibaConfigurationService.processConfiguration(jsonObj); - filterOutKeys(jsonObj); + filterOutKeys(jsonObj, appConfiguration); localResponseCache.putDiscoveryResponse(jsonObj); JSONObject clone = new JSONObject(jsonObj.toString()); @@ -445,6 +445,7 @@ protected void processRequest(HttpServletRequest servletRequest, HttpServletResp } } + @SuppressWarnings("java:S3776") private void addMtlsAliases(JSONObject jsonObj) { JSONObject aliases = new JSONObject(); @@ -478,23 +479,31 @@ private void addMtlsAliases(JSONObject jsonObj) { aliases.put(PAR_ENDPOINT, appConfiguration.getMtlsParEndpoint()); } - log.trace("MTLS aliases: " + aliases.toString()); - if (!aliases.isEmpty()) + if (log.isTraceEnabled()) { + log.trace("MTLS aliases: {}", aliases); + } + if (!aliases.isEmpty()) { jsonObj.put(MTLS_ENDPOINT_ALIASES, aliases); + } } - private void filterOutKeys(JSONObject jsonObj) { - final List allowedKeys = appConfiguration.getDiscoveryAllowedKeys(); - if (allowedKeys == null || allowedKeys.isEmpty()) { - return; // nothing to filter + public static void filterOutKeys(JSONObject jsonObj, AppConfiguration appConfiguration) { + final List denyKeys = appConfiguration.getDiscoveryDenyKeys(); + if (!denyKeys.isEmpty()) { + for (String key : new HashSet<>(jsonObj.keySet())) { + if (denyKeys.contains(key)) { + jsonObj.remove(key); + } + } } - for (String key : new HashSet<>(jsonObj.keySet())) { - if (allowedKeys.contains(key)) { - continue; + final List allowedKeys = appConfiguration.getDiscoveryAllowedKeys(); + if (!allowedKeys.isEmpty()) { + for (String key : new HashSet<>(jsonObj.keySet())) { + if (!allowedKeys.contains(key)) { + jsonObj.remove(key); + } } - - jsonObj.remove(key); } } @@ -514,10 +523,11 @@ private String endpointUrl(String path) { * /.well-known/gluu-configuration */ @Deprecated + @SuppressWarnings("java:S3776") private JSONArray createScopeToClaimsMapping(JSONArray scopesSupported, JSONArray claimsSupported) { final JSONArray scopeToClaimMapping = new JSONArray(); - Set scopes = new HashSet(); - Set claims = new HashSet(); + Set scopes = new HashSet<>(); + Set claims = new HashSet<>(); try { for (Scope scope : scopeService.getAllScopesList()) { @@ -589,8 +599,8 @@ private JSONObject createAuthLevelMapping() { final JSONObject mappings = new JSONObject(); try { Map> map = externalAuthenticationService.levelToAcrMapping(); - for (Integer level : map.keySet()) - mappings.put(level.toString(), map.get(level)); + for (Map.Entry> entry : map.entrySet()) + mappings.put(entry.getKey().toString(), entry.getValue()); } catch (Exception e) { log.error(e.getMessage(), e); } diff --git a/jans-auth-server/server/src/test/java/io/jans/as/server/servlet/OpenIdConfigurationTest.java b/jans-auth-server/server/src/test/java/io/jans/as/server/servlet/OpenIdConfigurationTest.java new file mode 100644 index 00000000000..e6ecb805107 --- /dev/null +++ b/jans-auth-server/server/src/test/java/io/jans/as/server/servlet/OpenIdConfigurationTest.java @@ -0,0 +1,38 @@ +package io.jans.as.server.servlet; + +import io.jans.as.model.configuration.AppConfiguration; +import org.json.JSONObject; +import org.testng.annotations.Test; + +import static org.junit.Assert.assertTrue; +import static org.testng.AssertJUnit.assertFalse; + +/** + * @author Yuriy Z + */ +public class OpenIdConfigurationTest { + + @Test + public void filterOutKeys_whenKeyIsInDentiedList_mustRemoveThemFromJson() { + AppConfiguration appConfiguration = new AppConfiguration(); + appConfiguration.getDiscoveryDenyKeys().add("test"); + + JSONObject json = new JSONObject("{\"test\": 1}"); + assertTrue(json.has("test")); + + OpenIdConfiguration.filterOutKeys(json, appConfiguration); + assertFalse(json.has("test")); + } + + @Test + public void filterOutKeys_whenKeyIsNotInDentiedList_mustNotRemoveThemFromJson() { + AppConfiguration appConfiguration = new AppConfiguration(); + appConfiguration.getDiscoveryDenyKeys().add("testX"); + + JSONObject json = new JSONObject("{\"test\": 1}"); + assertTrue(json.has("test")); + + OpenIdConfiguration.filterOutKeys(json, appConfiguration); + assertTrue(json.has("test")); + } +} diff --git a/jans-auth-server/server/src/test/resources/testng.xml b/jans-auth-server/server/src/test/resources/testng.xml index 77ca8ee1bc2..c57fd3d8784 100644 --- a/jans-auth-server/server/src/test/resources/testng.xml +++ b/jans-auth-server/server/src/test/resources/testng.xml @@ -16,6 +16,7 @@ + diff --git a/jans-config-api/docs/jans-config-api-swagger.yaml b/jans-config-api/docs/jans-config-api-swagger.yaml index 3718bfdfb0f..79bc7565b99 100644 --- a/jans-config-api/docs/jans-config-api-swagger.yaml +++ b/jans-config-api/docs/jans-config-api-swagger.yaml @@ -4768,6 +4768,12 @@ components: items: type: string example: '\"RS256\", \"RS512\", \"ES384\", \"PS256\"' + discoveryDenyKeys: + type: array + description: List of configuration response claims which must not be displayed in discovery endpoint response. + items: + type: string + example: 'id_generation_endpoint, auth_level_mapping, etc.' discoveryAllowedKeys: type: array description: List of configuration response claim allowed to be displayed in discovery endpoint.