fix(image): update images (#775)

* fix(image): update fido2-server to address bad archive issue * fix(image): update jansConfDyn attribute
JanssenProject · Feb 8, 2022 · b31059c · b31059c
1 parent e1cdc19
commit b31059c
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 9 deletions.
diff --git a/docker-jans-fido2/Dockerfile b/docker-jans-fido2/Dockerfile
@@ -35,7 +35,7 @@ EXPOSE 8080
 # =====
 
 ENV CN_VERSION=1.0.0-SNAPSHOT
-ENV CN_BUILD_DATE='2022-01-25 05:48'
+ENV CN_BUILD_DATE='2022-02-07 16:34'
 ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-fido2-server/${CN_VERSION}/jans-fido2-server-${CN_VERSION}.war
 
 # Install FIDO2

diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py
@@ -1,4 +1,5 @@
 import contextlib
+import itertools
 import json
 import logging.config
 import os
@@ -49,6 +50,48 @@ def __init__(self):
 #: ID of manager group
 JANS_MANAGER_GROUP = "inum=60B7,ou=groups,o=jans"
 
+#: ID of jans-auth config
+JANS_AUTH_CONFIG_ID = "ou=jans-auth,ou=configuration,o=jans"
+
+
+def _transform_auth_dynamic_config(conf):
+    should_update = False
+
+    if all([
+        os.environ.get("CN_DISTRIBUTION", "default") == "openbanking",
+        "dcrAuthorizationWithMTLS" not in conf,
+    ]):
+        conf["dcrAuthorizationWithMTLS"] = False
+        should_update = True
+
+    if "grantTypesAndResponseTypesAutofixEnabled" not in conf:
+        conf["grantTypesAndResponseTypesAutofixEnabled"] = False
+        should_update = True
+
+    if "sessionIdEnabled" in conf:
+        conf.pop("sessionIdEnabled")
+        should_update = True
+
+    # assert the authorizationRequestCustomAllowedParameters contains dict values instead of string
+    params_with_dict = list(itertools.takewhile(
+        lambda x: isinstance(x, dict), conf["authorizationRequestCustomAllowedParameters"]
+    ))
+    if not params_with_dict:
+        conf["authorizationRequestCustomAllowedParameters"] = list(map(
+            lambda p: {"paramName": p[0], "returnInResponse": p[1]},
+            [
+                ("customParam1", False),
+                ("customParam2", False),
+                ("customParam3", False),
+                ("customParam4", True),
+                ("customParam5", True),
+            ]
+        ))
+        should_update = True
+
+    # return the conf and flag to determine whether it needs update or not
+    return conf, should_update
+
 
 class LDAPBackend(BaseBackend):
     def __init__(self, manager):
@@ -166,6 +209,17 @@ def update_base_entries(self):
             entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP
             self.modify_entry(JANS_BASE_ID, entry.attrs)
 
+    def update_auth_dynamic_config(self):
+        entry = self.get_entry(JANS_AUTH_CONFIG_ID)
+        if not entry:
+            return
+
+        conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"]))
+        if should_update:
+            entry.attrs["jansConfDyn"] = json.dumps(conf)
+            entry.attrs["jansRevision"] += 1
+            self.modify_entry(entry.id, entry.attrs)
+
 
 class SQLBackend(BaseBackend):
     def __init__(self, manager):
@@ -272,6 +326,18 @@ def update_base_entries(self):
             entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP
             self.modify_entry(id_, entry.attrs, **kwargs)
 
+    def update_auth_dynamic_config(self):
+        kwargs = {"table_name": "jansAppConf"}
+        entry = self.get_entry(doc_id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs)
+        if not entry:
+            return
+
+        conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"]))
+        if should_update:
+            entry.attrs["jansConfDyn"] = json.dumps(conf)
+            entry.attrs["jansRevision"] += 1
+            self.modify_entry(entry.id, entry.attrs, **kwargs)
+
 
 class CouchbaseBackend(BaseBackend):
     def __init__(self, manager):
@@ -439,6 +505,18 @@ def update_base_entries(self):
             entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP
             self.modify_entry(id_, entry.attrs, **kwargs)
 
+    def update_auth_dynamic_config(self):
+        kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")}
+        entry = self.get_entry(id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs)
+        if not entry:
+            return
+
+        conf, should_update = _transform_auth_dynamic_config(entry.attrs["jansConfDyn"])
+        if should_update:
+            entry.attrs["jansConfDyn"] = conf
+            entry.attrs["jansRevision"] += 1
+            self.modify_entry(entry.id, entry.attrs, **kwargs)
+
 
 class SpannerBackend(BaseBackend):
     def __init__(self, manager):
@@ -545,6 +623,18 @@ def update_base_entries(self):
             entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP
             self.modify_entry(id_, entry.attrs, **kwargs)
 
+    def update_auth_dynamic_config(self):
+        kwargs = {"table_name": "jansAppConf"}
+        entry = self.get_entry(doc_id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs)
+        if not entry:
+            return
+
+        conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"]))
+        if should_update:
+            entry.attrs["jansConfDyn"] = json.dumps(conf)
+            entry.attrs["jansRevision"] += 1
+            self.modify_entry(entry.id, entry.attrs, **kwargs)
+
 
 class Upgrade:
     def __init__(self, manager):
@@ -571,3 +661,5 @@ def invoke(self):
 
         if hasattr(self.backend, "update_misc"):
             self.backend.update_misc()
+
+        self.backend.update_auth_dynamic_config()
diff --git a/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.json b/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.json
@@ -296,6 +296,7 @@
     "invalidateSessionCookiesAfterAuthorizationFlow":false,
     "clientAuthenticationFiltersEnabled":false,
     "clientRegDefaultToCodeFlowWithRefresh": true,
+    "grantTypesAndResponseTypesAutofixEnabled": false,
     "authenticationFilters":[
         {
             "filter":"(&(mail=*{0}*)(inum={1}))",
@@ -320,7 +321,6 @@
     ],
     "sessionIdUnusedLifetime":86400,
     "sessionIdUnauthenticatedUnusedLifetime":120,
-    "sessionIdEnabled":true,
     "changeSessionIdOnAuthentication":true,
     "returnClientSecretOnRead": true,
     "sessionIdPersistOnPromptNone":true,
@@ -369,9 +369,26 @@
     "httpLoggingExludePaths": [],
     "externalLoggerConfiguration": "",
     "authorizationRequestCustomAllowedParameters" : [
-        "customParam1",
-        "customParam2",
-        "customParam3"
+        {
+            "paramName": "customParam1",
+            "returnInResponse": false
+        },
+        {
+            "paramName": "customParam2",
+            "returnInResponse": false
+        },
+        {
+            "paramName": "customParam3",
+            "returnInResponse": false
+        },
+        {
+            "paramName": "customParam4",
+            "returnInResponse": true
+        },
+        {
+            "paramName": "customParam5",
+            "returnInResponse": true
+        }
     ],
     "legacyDynamicRegistrationScopeParam": false,
     "openidScopeBackwardCompatibility": false,

diff --git a/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.ob.json b/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.ob.json
@@ -209,6 +209,7 @@
     "dcrSignatureValidationJwksUri": null,
     "dcrAuthorizationWithClientCredentials": false,
     "dcrSkipSignatureValidation": true,
+    "dcrAuthorizationWithMTLS": false,
     "softwareStatementValidationType": "script",
     "softwareStatementValidationClaimName": "jwks_uri",
     "dynamicRegistrationEnabled":true,
@@ -227,13 +228,13 @@
     "invalidateSessionCookiesAfterAuthorizationFlow":false,
     "clientAuthenticationFiltersEnabled":false,
     "clientRegDefaultToCodeFlowWithRefresh": true,
+    "grantTypesAndResponseTypesAutofixEnabled": false,
     "authenticationFilters":[
     ],
     "clientAuthenticationFilters":[
     ],
     "sessionIdUnusedLifetime":86400,
     "sessionIdUnauthenticatedUnusedLifetime":120,
-    "sessionIdEnabled":true,
     "changeSessionIdOnAuthentication":true,
     "returnClientSecretOnRead": true,
     "sessionIdPersistOnPromptNone":true,
@@ -282,9 +283,26 @@
     "httpLoggingExludePaths": [],
     "externalLoggerConfiguration": "",
     "authorizationRequestCustomAllowedParameters" : [
-        "customParam1",
-        "customParam2",
-        "customParam3"
+        {
+            "paramName": "customParam1",
+            "returnInResponse": false
+        },
+        {
+            "paramName": "customParam2",
+            "returnInResponse": false
+        },
+        {
+            "paramName": "customParam3",
+            "returnInResponse": false
+        },
+        {
+            "paramName": "customParam4",
+            "returnInResponse": true
+        },
+        {
+            "paramName": "customParam5",
+            "returnInResponse": true
+        }
     ],
     "legacyDynamicRegistrationScopeParam": false,
     "openidScopeBackwardCompatibility": false,