fix(config-api): validation and check enabled for default authentication method

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #8683

Implementation Details

Only an enabled custom script can be set as Default authentication method
If the default authentication method script is disabled using config-api /jans-config-api/api/v1/config/scripts endpoint then default authentication value is removed.

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the security and robustness of the Jans Config API application. The changes span multiple files and components, including the ApiAppConfiguration, AcrsResource, CustomScriptService, AssetResource, CustomScriptResource, and the OpenAPI specification documentation.

Key security-related changes include:

1. Authentication Method Validation: The addition of the acrValidationEnabled flag to ensure that the requested authentication method (ACR) is valid and active, preventing potential authentication bypass vulnerabilities.

2. Removal of Sensitive Information: The removal of the apiClientPassword field from the configuration and the toString() method, reducing the risk of accidentally exposing sensitive information.

3. Error Handling and Reporting: Improvements to error handling, such as the inclusion of more detailed ApiError responses, which can aid in debugging and security monitoring.

4. Input Validation and Sanitization: Efforts to validate user input, such as the validateAuthenticationMethod function in the AcrsResource class, to prevent potential injection attacks (e.g., LDAP injection).

5. Pagination and Result Limiting: The use of pagination and result limiting parameters in the CustomScriptService to prevent excessive resource consumption and potential denial-of-service attacks.

6. Enabling/Disabling Custom Scripts: The ability to enable and disable custom scripts, which can be an important security feature, but requires proper access control and auditing.

7. Asset Management: The handling of asset name conflicts and the validation of asset file extensions and module names, which can help mitigate risks associated with untrusted user-uploaded content.

8. Audit Logging: The inclusion of audit logging functionality, which is crucial for security monitoring and incident investigation.

Overall, the changes in this pull request appear to be focused on improving the security and reliability of the Jans Config API application. While the specific security implications may depend on the broader context and architecture of the application, the changes introduced in this pull request are generally positive from an application security perspective.

Files Changed:

1. jans-config-api/common/src/main/java/io/jans/configapi/model/configuration/ApiAppConfiguration.java: Changes related to authentication method validation and the removal of sensitive information.
2. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AcrsResource.java: Changes to improve input validation, error handling, and dependency injection.
3. jans-config-api/plugins/docs/user-mgt-plugin-swagger.yaml: Changes to the CustomObjectAttribute schema in the OpenAPI specification.
4. jans-core/service/src/main/java/io/jans/service/custom/CustomScriptService.java: Changes related to logging, input validation, and pagination.
5. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AssetResource.java: Changes to handle asset name conflicts and improve error handling.
6. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/CustomScriptResource.java: Changes to manage the authentication method update, revision, and script location type validation.
7. jans-config-api/docs/jans-config-api-swagger.yaml: Changes to the OpenAPI specification, including the addition of new API endpoints and error handling responses.
8. jans-linux-setup/jans_setup/templates/jans-config-api/dynamic-conf.json: Changes to the configuration file, including ACR validation, API protection, CORS, user management, audit logging, and asset management.

Powered by DryRun Security

[sonarcloud]

Please retry analysis of this Pull-Request directly on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud