Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: apply password validation #8716

Merged
merged 3 commits into from
Jun 17, 2024
Merged

feat: apply password validation #8716

merged 3 commits into from
Jun 17, 2024

Conversation

jgomer2001
Copy link
Contributor

Prepare

Description

Target issue

closes #8146

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

@jgomer2001
docs: include new config property #8146
552f7c4 
Signed-off-by: jgomer2001 <bonustrack310@gmail.com>
@jgomer2001
feat: apply password validation when defined and enabled #8146
7d5f85b 
Signed-off-by: jgomer2001 <bonustrack310@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 14, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Secrets Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
Authn/Authz Analyzer 0 findings
SQL Injection Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are primarily focused on enhancing the security and integrity of the user management functionality in the Jans SCIM (System for Cross-domain Identity Management) application. The key changes include:

  1. Password Validation Enforcement: The introduction of a new configuration parameter skipDefinedPasswordValidation and the implementation of password validation logic in the Scim2UserService and UserWebService classes ensure that the SCIM service enforces the defined password validation rules. This helps to improve the overall security of the application by requiring users to set strong, secure passwords.

  2. Duplicate Username Checks: The code now includes checks for duplicate usernames (also referred to as UIDs) when creating or updating user resources. This helps maintain the uniqueness of user identities, which is crucial for access control and audit purposes.

  3. Patch Operation Handling: The PATCH operation for updating user resources has been implemented in a way that re-validates the final user resource representation after applying the partial updates. This helps to ensure that the application state remains consistent and secure after the updates.

  4. Documentation Improvements: The changes include updates to the SCIM-related documentation, providing more details and examples on the SCIM API, including information on API protection, authorization, and performance considerations.

From an application security perspective, these changes are positive steps towards strengthening the security of the Jans SCIM application. By enforcing password validation, preventing duplicate usernames, and carefully handling partial updates, the application can better protect against common security vulnerabilities and improve the overall security posture.

Files Changed:

  1. jans-linux-setup/jans_setup/templates/jans-scim/dynamic-conf.json: This file has been updated to include a new configuration parameter "skipDefinedPasswordValidation": false,, which ensures that the SCIM service enforces the defined password validation rules.

  2. docs/admin/scim/config.md: The documentation has been updated to provide more information about the skipDefinedPasswordValidation configuration parameter, including the potential security implications and best practices for its use.

  3. jans-scim/model/src/main/java/io/jans/scim/model/conf/AppConfiguration.java: The AppConfiguration class has been updated to include the skipDefinedPasswordValidation property, allowing the application to bypass the defined password validation rules.

  4. jans-scim/server/src/main/java/io/jans/scim/service/scim2/Scim2UserService.java: This class has been updated to include a new passwordValidationPassed() method, which implements the password validation logic based on the configured password policy.

  5. docs/admin/usermgmt/usermgmt-scim.md: The documentation has been updated to provide more detailed information and examples on the SCIM API, including details on API protection, authorization, and performance considerations.

  6. jans-scim/server/src/main/java/io/jans/scim/ws/rs/scim2/UserWebService.java: The UserWebService class has been updated to include the executeUserValidation() method, which performs additional validation on the user resource, including password validation and duplicate username checks.

Powered by DryRun Security

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-jans-scim Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Jun 14, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 14, 2024

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@jgomer2001
chore: add new property to installation template #8146
acf5b38 
Signed-off-by: jgomer2001 <bonustrack310@gmail.com>
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 14, 2024

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@yurem yurem enabled auto-merge (squash) June 15, 2024 13:36
@yurem yurem merged commit 232a6eb into main Jun 17, 2024
9 checks passed
@yurem yurem deleted the jans-scim-issue_8146 branch June 17, 2024 05:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@yurem yurem yurem approved these changes

@devrimyatar devrimyatar Awaiting requested review from devrimyatar devrimyatar is a code owner

@yuriyzz yuriyzz Awaiting requested review from yuriyzz yuriyzz is a code owner

Assignees
No one assigned
Labels
area-documentation Documentation needs to change as part of issue or PR comp-jans-scim Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(jans-scim): SCIM not responding to applied Password validation
4 participants
@jgomer2001 @yuriyz @yurem @mo-auto