feat(jans-linux-setup): lock metadata well-known endpoint #8682

devrimyatar · 2024-06-09T20:36:15Z

Signed-off-by: Mustafa Baser <mbaser@mail.com>

dryrunsecurity · 2024-06-09T20:36:26Z

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on the installation and configuration of various components within the Jans open-source identity and access management (IAM) platform. The changes cover a wide range of areas, including:

Dynamic Endpoint Configuration: The changes in the dynamic-conf.json file allow for more flexibility in the application's deployment by using a dynamic base_endpoint configuration value, which should be properly validated and sanitized.
Apache Configuration: The changes in the https_jans.conf file configure the Apache web server to handle various Jans components, including setting up proxy configurations, cookie handling, SSL/TLS settings, and security headers.
Jans Auth Server Installation: The changes in the jans_auth.py file handle the installation and configuration of the Jans Auth Server, including the generation and management of cryptographic keys, role-scope mappings, and the setup of external libraries.
Jans Lock Installation: The changes in the jans_lock.py file handle the installation and configuration of the Jans Lock component, including the setup of the Apache web server and the installation of the Open Policy Agent (OPA).
Jans Auth Service Startup: The changes in the jans-auth file update the startup script for the Jans Auth service, allowing for configurable port settings and proper resource allocation.

From an application security perspective, the key areas to focus on are:

Ensuring that all user-controlled inputs are properly validated and sanitized to prevent potential security issues, such as open redirect vulnerabilities or directory traversal attacks.
Maintaining secure cryptographic key management practices, including key rotation and secure key storage, for the OIDC keys and other sensitive cryptographic materials.
Regularly reviewing and updating the external libraries used by the Jans components to address any security vulnerabilities.
Continuously monitoring the security posture of the Jans platform and its components, including the Apache web server configuration, the Jans Auth Server, and the Jans Lock component.

Files Changed:

jans-linux-setup/jans_setup/templates/jans-lock/dynamic-conf.json: This file includes changes to the baseEndpoint configuration, which should be properly validated and sanitized. It also includes an opaConfiguration section with an accessToken field, which should be managed securely.
jans-linux-setup/jans_setup/setup_app/installers/jans_lock.py: This file includes changes related to the installation and configuration of the Jans Lock component, including the setup of the Apache web server and the installation of the Open Policy Agent (OPA).
jans-linux-setup/jans_setup/templates/apache/https_jans.conf: This file includes changes to the Apache web server configuration, including proxy configurations, cookie handling, SSL/TLS settings, and security headers.
jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py: This file includes changes related to the installation and configuration of the Jans Auth Server, including the generation and management of cryptographic keys, role-scope mappings, and the setup of external libraries.
jans-linux-setup/jans_setup/templates/jetty/jans-auth: This file includes changes to the startup script for the Jans Auth service, allowing for configurable port settings and proper resource allocation.