Merge branch 'main' into jans-auth-server-1208-6

# Conflicts:
#	jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java

.github/workflows/release.yaml

@@ -46,7 +46,7 @@ jobs:
       #max-parallel: 1
       fail-fast: false
       matrix:
-        simple: [ "super-jans", "docs", "jans-scim", "jans-orm", "jans-notify", "jans-fido2", "jans-eleven", "jans-core", "jans-config-api", "jans-client-api", "jans-bom", "jans-auth-server" ]
+        simple: [ "super-jans", "docs" ]
     steps:
     - name: Checkout
       uses: actions/checkout@v3
@@ -76,9 +76,46 @@ jobs:
          release-type: simple
          package-name: ${{ matrix.simple }}
          monorepo-tags: true
-  release-docker-pr:
+  release-java-pr:
     needs: release-simple-pr
     runs-on: ubuntu-latest
+    strategy:
+      #max-parallel: 1
+      fail-fast: false
+      matrix:
+        maven: [ "jans-scim", "jans-orm", "jans-notify", "jans-fido2", "jans-eleven", "jans-core", "jans-config-api", "jans-client-api", "jans-bom", "jans-auth-server" ]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: Import GPG key
+      id: import_gpg
+      uses: crazy-max/ghaction-import-gpg@v4
+      with:
+        gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
+        git_user_signingkey: true
+        git_commit_gpgsign: true
+
+    - name: Configure Git
+      run: |
+        git config user.name "mo-auto"
+        git config user.email "54212639+mo-auto@users.noreply.github.com"
+        git config --global user.signingkey "${{ steps.import_gpg.outputs.keyid }}"
+
+    - uses: google-github-actions/release-please-action@v3.2
+      id: release-please
+      with:
+         path: ${{ matrix.maven }}
+         token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
+         release-type: maven
+         package-name: ${{ matrix.maven }}
+         monorepo-tags: true
+  release-docker-pr:
+    needs: release-java-pr
+    runs-on: ubuntu-latest
     strategy:
       #max-parallel: 1
       fail-fast: false

docker-jans-persistence-loader/Dockerfile

@@ -23,7 +23,7 @@ RUN python3 -m ensurepip \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_LINUX_SETUP_VERSION=fc9544c861f30eb7370f635b07d9810ae33a7dba
+ENV JANS_LINUX_SETUP_VERSION=eb113d09421b95671fe1ab4eaa5c4bafc2aed6af
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 
 # note that as we're pulling from a monorepo (with multiple project in it)
@@ -65,10 +65,6 @@ RUN cd /tmp/jans \
 # Download jans-config-api-swagger for role_scope_mapping
 RUN wget -q https://github.com/JanssenProject/jans/raw/${JANS_LINUX_SETUP_VERSION}/jans-config-api/docs/jans-config-api-swagger.yaml -P /app/static
 
-# TODO: casa should be moved from this image
-ENV GLUU_CASA_VERSION=a8251496ff2ade9dd8101873b45f4c490ae9c64e
-RUN wget -q https://github.com/GluuFederation/flex/raw/${GLUU_CASA_VERSION}/casa/extras/Casa.py -O /app/static/extension/person_authentication/Casa.py
-
 # cleanup
 RUN rm -rf /tmp/jans
 
@@ -157,7 +153,6 @@ ENV CN_CACHE_TYPE=NATIVE_PERSISTENCE \
     CN_REDIS_SENTINEL_GROUP="" \
     CN_MEMCACHED_URL=localhost:11211 \
     CN_WAIT_SLEEP_DURATION=10 \
-    CN_CASA_ENABLED=false \
     CN_SCIM_ENABLED=false \
     CN_PERSISTENCE_SKIP_INITIALIZED=false \
     CN_DOCUMENT_STORE_TYPE=LOCAL \

docker-jans-persistence-loader/README.md

@@ -62,7 +62,6 @@ The following environment variables are supported by the container:
 - `CN_COUCHBASE_CERT_FILE`: Couchbase root certificate location (default to `/etc/certs/couchbase.crt`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`.
 - `CN_COUCHBASE_PASSWORD_FILE`: Path to file contains Couchbase password (default to `/etc/jans/conf/couchbase_password`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`.
 - `CN_COUCHBASE_SUPERUSER_PASSWORD_FILE`: Path to file contains Couchbase superuser password (default to `/etc/jans/conf/couchbase_superuser_password`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`.
-- `CN_CASA_ENABLED`: Enable Casa-related features; custom scripts, ACR, UI menu, etc. (default to `false`).
 - `CN_DOCUMENT_STORE_TYPE`: Document store type (one of `LOCAL` or `JCA`; default to `LOCAL`).
 - `CN_JACKRABBIT_URL`: URL to remote repository (default to `http://localhost:8080`).
 - `CN_JACKRABBIT_ADMIN_ID_FILE`: Absolute path to file contains ID for admin user (default to `/etc/jans/conf/jackrabbit_admin_id`).

docker-jans-persistence-loader/scripts/upgrade.py

@@ -680,13 +680,16 @@ def update_admin_ui_config(self):
                 api_admin_perms = api_role["permissions"]
                 break
 
-        # current permissions
         try:
             current_role_mapping = json.loads(entry.attrs["jansConfDyn"])
         except TypeError:
             current_role_mapping = entry.attrs["jansConfDyn"]
+
         should_update = False
 
+        # check for rolePermissionMapping
+        #
+        # - compare role permissions for api-admin
         for i, api_role in enumerate(current_role_mapping["rolePermissionMapping"]):
             if api_role["role"] == "api-admin":
                 # compare permissions between the ones from persistence (current) and newer permissions
@@ -695,6 +698,30 @@ def update_admin_ui_config(self):
                     should_update = True
                 break
 
+        # check for permissions
+        #
+        # - add new permission if not exist
+        # - add defaultPermissionInToken (if not exist) in each permission
+
+        # determine current permission with index/position
+        current_perms = {
+            permission["permission"]: {"index": i}
+            for i, permission in enumerate(current_role_mapping["permissions"])
+        }
+
+        for perm in role_mapping["permissions"]:
+            if perm["permission"] not in current_perms:
+                # add missing permission
+                current_role_mapping["permissions"].append(perm)
+                should_update = True
+            else:
+                # add missing defaultPermissionInToken
+                index = current_perms[perm["permission"]]["index"]
+                if "defaultPermissionInToken" in current_role_mapping["permissions"][index]:
+                    continue
+                current_role_mapping["permissions"][index]["defaultPermissionInToken"] = perm["defaultPermissionInToken"]
+                should_update = True
+
         if should_update:
             entry.attrs["jansConfDyn"] = json.dumps(current_role_mapping)
             entry.attrs["jansRevision"] += 1

docker-jans-persistence-loader/scripts/utils.py

@@ -76,7 +76,6 @@ def get_base_ctx(manager):
     redis_ssl_truststore = os.environ.get("CN_REDIS_SSL_TRUSTSTORE", "")
     redis_sentinel_group = os.environ.get("CN_REDIS_SENTINEL_GROUP", "")
     memcached_url = os.environ.get('CN_MEMCACHED_URL', 'localhost:11211')
-    casa_enabled = os.environ.get("CN_CASA_ENABLED", False)
     scim_enabled = os.environ.get("CN_SCIM_ENABLED", False)
 
     ctx = {
@@ -131,7 +130,6 @@ def get_base_ctx(manager):
         "admin_inum": manager.config.get("admin_inum"),
         "scim_client_id": manager.config.get("scim_client_id"),
         "scim_client_encoded_pw": manager.secret.get("scim_client_encoded_pw"),
-        "casa_enable_script": str(as_boolean(casa_enabled)).lower(),
         "jca_client_id": manager.config.get("jca_client_id"),
         "jca_client_encoded_pw": manager.secret.get("jca_client_encoded_pw"),
     }
@@ -329,28 +327,6 @@ def get_injected_urls():
     return ctx
 
 
-def merge_casa_ctx(manager, ctx):
-    # Casa client
-    ctx["casa_client_id"] = manager.config.get("casa_client_id")
-    if not ctx["casa_client_id"]:
-        ctx["casa_client_id"] = f"1902.{uuid4()}"
-        manager.config.set("casa_client_id", ctx["casa_client_id"])
-
-    ctx["casa_client_pw"] = manager.secret.get("casa_client_pw")
-    if not ctx["casa_client_pw"]:
-        ctx["casa_client_pw"] = get_random_chars()
-        manager.secret.set("casa_client_pw", ctx["casa_client_pw"])
-
-    ctx["casa_client_encoded_pw"] = manager.secret.get("casa_client_encoded_pw")
-    if not ctx["casa_client_encoded_pw"]:
-        ctx["casa_client_encoded_pw"] = encode_text(
-            ctx["casa_client_pw"], manager.secret.get("encoded_salt"),
-        ).decode()
-        manager.secret.set("casa_client_encoded_pw", ctx["casa_client_encoded_pw"])
-
-    return ctx
-
-
 def merge_jans_cli_ctx(manager, ctx):
     # WARNING:
     # - deprecated configs and secrets for role_based
@@ -378,18 +354,13 @@ def merge_jans_cli_ctx(manager, ctx):
 
 
 def prepare_template_ctx(manager):
-    opt_scopes = json.loads(manager.config.get("optional_scopes", "[]"))
-
     ctx = get_base_ctx(manager)
     ctx = merge_extension_ctx(ctx)
     ctx = merge_auth_ctx(ctx)
     ctx = merge_config_api_ctx(ctx)
     ctx = merge_fido2_ctx(ctx)
     ctx = merge_scim_ctx(ctx)
     ctx = merge_jans_cli_ctx(manager, ctx)
-
-    if "casa" in opt_scopes:
-        ctx = merge_casa_ctx(manager, ctx)
     return ctx
 
 
@@ -440,13 +411,6 @@ def default_files():
             files += [
                 "jans-fido2/fido2.ldif",
             ]
-
-        if "casa" in optional_scopes:
-            files += [
-                "gluu-casa/configuration.ldif",
-                "gluu-casa/clients.ldif",
-                "gluu-casa/scripts.ldif",
-            ]
         return files
 
     def user_files():

jans-auth-server/common/src/main/java/io/jans/as/common/util/CommonUtils.java

@@ -0,0 +1,21 @@
+package io.jans.as.common.util;
+
+import com.google.common.base.Strings;
+import io.jans.as.common.model.registration.Client;
+import io.jans.as.model.util.JwtUtil;
+import org.json.JSONObject;
+
+/**
+ * @author Yuriy Zabrovarnyy
+ */
+public class CommonUtils {
+
+    private CommonUtils() {
+    }
+
+    public static JSONObject getJwks(Client client) {
+        return Strings.isNullOrEmpty(client.getJwks())
+                ? JwtUtil.getJSONWebKeys(client.getJwksUri())
+                : new JSONObject(client.getJwks());
+    }
+}

jans-auth-server/server/src/main/java/io/jans/as/server/auth/MTLSService.java

@@ -6,8 +6,8 @@
 
 package io.jans.as.server.auth;
 
-import com.google.common.base.Strings;
 import io.jans.as.common.model.registration.Client;
+import io.jans.as.common.util.CommonUtils;
 import io.jans.as.model.authorize.AuthorizeRequestParam;
 import io.jans.as.model.common.AuthenticationMethod;
 import io.jans.as.model.common.Prompt;
@@ -19,7 +19,6 @@
 import io.jans.as.model.token.TokenErrorResponseType;
 import io.jans.as.model.util.CertUtils;
 import io.jans.as.model.util.HashUtil;
-import io.jans.as.model.util.JwtUtil;
 import io.jans.as.server.model.common.SessionId;
 import io.jans.as.server.model.common.SessionIdState;
 import io.jans.as.server.service.SessionIdService;
@@ -130,9 +129,7 @@ public boolean processMTLS(HttpServletRequest httpRequest, HttpServletResponse h
             final PublicKey publicKey = cert.getPublicKey();
             final byte[] encodedKey = publicKey.getEncoded();
 
-            JSONObject jsonWebKeys = Strings.isNullOrEmpty(client.getJwks())
-                    ? JwtUtil.getJSONWebKeys(client.getJwksUri())
-                    : new JSONObject(client.getJwks());
+            JSONObject jsonWebKeys = CommonUtils.getJwks(client);
 
             if (jsonWebKeys == null) {
                 log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", client.getClientId(),

jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java

@@ -5,6 +5,7 @@
 import io.jans.as.common.model.common.User;
 import io.jans.as.common.model.registration.Client;
 import io.jans.as.common.util.RedirectUri;
+import io.jans.as.common.util.CommonUtils;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
 import io.jans.as.model.common.ResponseMode;
 import io.jans.as.model.config.WebKeysConfiguration;
@@ -357,7 +358,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo
                     String nestedKeyId = new ServerCryptoProvider(cryptoProvider).getKeyId(webKeysConfiguration,
                             Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE);
 
-                    JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
+                    JSONObject jsonWebKeys = CommonUtils.getJwks(client);
                     redirectUriResponse.getRedirectUri().setNestedJsonWebKeys(jsonWebKeys);
 
                     String clientSecret = clientService.decryptSecret(client.getClientSecret());
@@ -366,7 +367,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo
                 }
 
                 // Encrypted response
-                JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
+                JSONObject jsonWebKeys = CommonUtils.getJwks(client);
                 if (jsonWebKeys != null) {
                     keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys),
                             Algorithm.fromString(client.getAttributes().getAuthorizationEncryptedResponseAlg()),
@@ -387,7 +388,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo
                 keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(webKeysConfiguration,
                         Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE);
 
-                JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
+                JSONObject jsonWebKeys = CommonUtils.getJwks(client);
                 redirectUriResponse.getRedirectUri().setJsonWebKeys(jsonWebKeys);
 
                 String clientSecret = clientService.decryptSecret(client.getClientSecret());

jans-auth-server/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java

@@ -6,9 +6,9 @@
 
 package io.jans.as.server.model.authorize;
 
-import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import io.jans.as.common.model.registration.Client;
+import io.jans.as.common.util.CommonUtils;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
 import io.jans.as.model.common.Display;
 import io.jans.as.model.common.Prompt;
@@ -322,9 +322,7 @@ private void loadPayload(String payload) throws JSONException, UnsupportedEncodi
     private boolean validateSignature(@NotNull AbstractCryptoProvider cryptoProvider, SignatureAlgorithm signatureAlgorithm, Client client, String signingInput, String signature) throws Exception {
         ClientService clientService = CdiUtil.bean(ClientService.class);
         String sharedSecret = clientService.decryptSecret(client.getClientSecret());
-        JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ?
-                JwtUtil.getJSONWebKeys(client.getJwksUri()) :
-                new JSONObject(client.getJwks());
+        JSONObject jwks = CommonUtils.getJwks(client);
         return cryptoProvider.verifySignature(signingInput, signature, keyId, jwks, sharedSecret, signatureAlgorithm);
     }