fix: refactor DN parsing

[jgomer2001]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #12929

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Documentation

  • Updated certificate authentication guide: reworded steps, standardized server/path examples, clarified PEM concatenation rules, improved JSON one-liner examples, and added P12 packaging instructions.

• Chores

  • Minor formatting and whitespace cleanups.
  • Improved backend parsing and error handling for certificate metadata to enhance reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces fragile split-based DN parsing with a dedicated RFC 2253-aware helper in the cert-authn plugin, adds LDAP SDK import and error handling; updates documentation (procedural wording, URLs, paths, PEM/JSON wording) and removes trailing whitespace in the plugin POM.

Changes

Cohort / File(s)	Summary
Documentation docs/casa/plugins/cert-authn.md	Reworded procedural steps (e.g., "Generate" → "Create"), added P12 packaging step, updated project archive URLs (cert-authn → cert-authn-agama), adjusted Apache VirtualHost path formatting, standardized server-name wording, clarified PEM concatenation and one-liner JSON construction, and minor spacing/formatting tweaks.
Build file jans-casa/plugins/cert-authn/pom.xml	Removed extraneous trailing whitespace; no dependency or configuration changes.
DN parsing / service logic jans-casa/plugins/cert-authn/src/main/java/.../CertService.java	Added LDAP SDK import, replaced inline split-based DN parsing with private getDNAttributes(String dn) that handles RFC 2253 semantics, integrated it into getExtraCertsInfo, and added try-catch logging for DN parse errors.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• docs: add Casa cert authn plugin documentation #12925: Related edits to the same docs/casa/plugins/cert-authn.md documentation file.

Suggested reviewers

• moabu

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main refactoring effort to address DN parsing issues.
Description check	✅ Passed	The description includes the target issue (#12929) and documents relevant changes, though static analysis and testing checkboxes remain unchecked.
Linked Issues check	✅ Passed	The PR refactors DN parsing in CertService by replacing regex-based splitting with a helper method (getDNAttributes) that properly handles RFC 2253 escaped characters.
Out of Scope Changes check	✅ Passed	Besides the main DN parsing refactor, documentation updates align with the issue scope; trailing whitespace removal in pom.xml is a minor cleanup not affecting scope.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b73e80 and f412d98.

📒 Files selected for processing (3)

• docs/casa/plugins/cert-authn.md
• jans-casa/plugins/cert-authn/pom.xml
• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/apache/certauthn_vhost_tls1.3.conf:0-0
Timestamp: 2025-12-31T16:10:36.685Z
Learning: For the cert-authn plugin in jans-casa, Apache configuration templates (such as certauthn_vhost_tls1.3.conf) are documented in the plugin documentation page rather than with inline comments in the configuration files themselves.

📚 Learning: 2025-12-31T16:22:54.513Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/pom.xml:99-109
Timestamp: 2025-12-31T16:22:54.513Z
Learning: For the cert-authn plugin (jans-casa/plugins/cert-authn/pom.xml), the jans-scim-model dependency is intentionally scoped as compile to bundle those classes into the plugin JAR. Use wildcard exclusions to prevent transitive dependencies from being included. This is a one-file, file-specific guideline; ensure this intention is well-documented in comments or a developer note. If this pattern should apply to more modules, consider converting to a broader pattern (e.g., a Maven configuration guideline) and include a rationale for bundling versus provided scope.

Applied to files:

• jans-casa/plugins/cert-authn/pom.xml

📚 Learning: 2025-12-31T16:10:36.685Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/apache/certauthn_vhost_tls1.3.conf:0-0
Timestamp: 2025-12-31T16:10:36.685Z
Learning: For the cert-authn plugin in jans-casa, Apache configuration templates (such as certauthn_vhost_tls1.3.conf) are documented in the plugin documentation page rather than with inline comments in the configuration files themselves.

Applied to files:

• jans-casa/plugins/cert-authn/pom.xml
• docs/casa/plugins/cert-authn.md

📚 Learning: 2025-12-31T16:12:54.538Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/model/Reference.java:3-29
Timestamp: 2025-12-31T16:12:54.538Z
Learning: In jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/model/Reference.java, the Reference class does not require equals() and hashCode() implementations because instances are not used in collections or for value-based equality checks.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

📚 Learning: 2025-12-31T16:11:45.351Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/apache/certauthn_vhost_tls1.3.conf:23-25
Timestamp: 2025-12-31T16:11:45.351Z
Learning: In the cert-authn plugin for jans-casa, certificate validation is performed at the Java application level (via CertService and PathCertificateVerifier), not at the Apache level. The Apache configuration uses `SSLVerifyClient optional_no_ca` intentionally to accept any client certificate and forward it to the Java application via the X-ClientCert header, where proper PKIX-based validation is performed.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java
• docs/casa/plugins/cert-authn.md

📚 Learning: 2025-12-31T16:14:49.605Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java:186-191
Timestamp: 2025-12-31T16:14:49.605Z
Learning: In CertService.java (jans-casa plugins cert-authn), do not guard the result of getJansExtUid() with null checks when using the returned value on BasePerson, IdentityPerson, or CertPerson. Since getJansExtUid() never returns null, you can safely call methods on the returned List without null checks, reducing boilerplate and avoiding false negatives in reviews.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

📚 Learning: 2025-12-31T16:16:31.777Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/src/main/resources/assets/cbasic.zul:7-7
Timestamp: 2025-12-31T16:16:31.777Z
Learning: In the cert-authn plugin for jans-casa (file cbasic.zul), the base href intentionally hardcodes "https://" rather than using a dynamic protocol, because client certificate authentication inherently requires HTTPS/TLS and is not meant to work over plain HTTP.

Applied to files:

• docs/casa/plugins/cert-authn.md

📚 Learning: 2025-12-31T16:23:03.002Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/pom.xml:99-109
Timestamp: 2025-12-31T16:23:03.002Z
Learning: In the cert-authn plugin for jans-casa (file jans-casa/plugins/cert-authn/pom.xml), the jans-scim-model dependency intentionally uses compile scope (rather than provided scope like other dependencies) to bundle the jans-scim-model classes into the plugin JAR, while using wildcard exclusions to prevent any transitive dependencies from being included.

Applied to files:

• docs/casa/plugins/cert-authn.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: sonar scan (jans-link)
• GitHub Check: sonar scan (jans-orm)
• GitHub Check: sonar scan (jans-casa)
• GitHub Check: sonar scan (agama)
• GitHub Check: lint_docs

🔇 Additional comments (5)

jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java (2)

4-4: Wildcard import is acceptable here.

The wildcard import for com.unboundid.ldap.sdk.* is reasonable given that multiple classes (DN, RDN, Attribute) are used from this package.

---

234-235: Good refactor to centralize DN parsing.

Delegating to getDNAttributes() for RFC 2253-compliant parsing addresses the original issue where escaped characters (e.g., CN=Doe\, John) caused incorrect splitting.

docs/casa/plugins/cert-authn.md (2)

91-95: Good addition: P12 packaging step.

Adding the explicit step to package the certificate and key into a .p12 file improves the documentation flow and makes the process clearer for users who need to import certificates into browsers.

---

138-138: URL change correctly distinguishes Agama project artifact from plugin JAR.

The URL path change from cert-authn/ to cert-authn-agama/ is correct and aligns with the artifact ID defined in jans-casa/plugins/cert-authn/agama/pom.xml. The cert-authn-agama module generates a -project.zip archive via the maven-assembly-plugin, matching the documentation's expected filename. This naming pattern is consistent with other Casa plugin Agama projects in the codebase (e.g., email_2fa-agama, acct-linking-agama).

jans-casa/plugins/cert-authn/pom.xml (1)

80-110: The UnboundID LDAP SDK dependency is not missing. While CertService.java does import com.unboundid.ldap.sdk.* classes, the unboundid-ldapsdk dependency is already available through casa-shared (which cert-authn depends on with provided scope) and through jans-scim-model (which cert-authn depends on with compile scope). No additional dependency needs to be added.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java (1)

292-318: Good RFC 2253-compliant implementation; add defensive check for empty values.

The case sensitivity issue from the previous review is correctly addressed at line 306. However, attr.getValues()[0] could throw ArrayIndexOutOfBoundsException if the values array is empty. While unlikely for valid RDNs, a defensive check improves robustness.

Proposed defensive check

                     for (Attribute attr : attrs) {
                         String name = attr.getName().toLowerCase();
-                        if (!map.containsKey(name)) {
-                            map.put(name, attr.getValues()[0]);
+                        String[] values = attr.getValues();
+                        if (!map.containsKey(name) && values.length > 0) {
+                            map.put(name, values[0]);
                         }
                     }

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f412d98 and 38f889d.

📒 Files selected for processing (1)

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/apache/certauthn_vhost_tls1.3.conf:0-0
Timestamp: 2025-12-31T16:10:36.685Z
Learning: For the cert-authn plugin in jans-casa, Apache configuration templates (such as certauthn_vhost_tls1.3.conf) are documented in the plugin documentation page rather than with inline comments in the configuration files themselves.

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/src/main/resources/assets/cbasic.zul:7-7
Timestamp: 2025-12-31T16:16:31.777Z
Learning: In the cert-authn plugin for jans-casa (file cbasic.zul), the base href intentionally hardcodes "https://" rather than using a dynamic protocol, because client certificate authentication inherently requires HTTPS/TLS and is not meant to work over plain HTTP.

📚 Learning: 2025-12-31T16:23:03.002Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/pom.xml:99-109
Timestamp: 2025-12-31T16:23:03.002Z
Learning: In the cert-authn plugin for jans-casa (file jans-casa/plugins/cert-authn/pom.xml), the jans-scim-model dependency intentionally uses compile scope (rather than provided scope like other dependencies) to bundle the jans-scim-model classes into the plugin JAR, while using wildcard exclusions to prevent any transitive dependencies from being included.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

📚 Learning: 2025-12-31T16:11:45.351Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/apache/certauthn_vhost_tls1.3.conf:23-25
Timestamp: 2025-12-31T16:11:45.351Z
Learning: In the cert-authn plugin for jans-casa, certificate validation is performed at the Java application level (via CertService and PathCertificateVerifier), not at the Apache level. The Apache configuration uses `SSLVerifyClient optional_no_ca` intentionally to accept any client certificate and forward it to the Java application via the X-ClientCert header, where proper PKIX-based validation is performed.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

📚 Learning: 2025-12-31T16:12:54.538Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/model/Reference.java:3-29
Timestamp: 2025-12-31T16:12:54.538Z
Learning: In jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/model/Reference.java, the Reference class does not require equals() and hashCode() implementations because instances are not used in collections or for value-based equality checks.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

📚 Learning: 2025-12-31T16:14:49.605Z

Learnt from: jgomer2001
Repo: JanssenProject/jans PR: 12927
File: jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java:186-191
Timestamp: 2025-12-31T16:14:49.605Z
Learning: In CertService.java (jans-casa plugins cert-authn), do not guard the result of getJansExtUid() with null checks when using the returned value on BasePerson, IdentityPerson, or CertPerson. Since getJansExtUid() never returns null, you can safely call methods on the returned List without null checks, reducing boilerplate and avoiding false negatives in reviews.

Applied to files:

• jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: sonar scan (jans-core)
• GitHub Check: sonar scan (jans-casa)
• GitHub Check: sonar scan (jans-keycloak-integration)

🔇 Additional comments (1)

jans-casa/plugins/cert-authn/src/main/java/io/jans/casa/plugins/certauthn/service/CertService.java (1)

235-235: LGTM!

Clean delegation to the new RFC 2253-compliant parsing helper. This properly addresses the issue with escaped characters in DNs.