fix(jans-linux-setup): dummy values for KC db options #8821

devrimyatar · 2024-06-29T09:03:22Z

Signed-off-by: Mustafa Baser <mbaser@mail.com>

dryrunsecurity · 2024-06-29T09:03:37Z

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	1 finding
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on the configuration and installation of the Jans SAML (Security Assertion Markup Language) component, specifically its integration with the Keycloak identity provider (IDP). The key changes include updates to the database configuration, hostname settings, and port settings, as well as the addition of observability, proxy header handling, and logging configurations. From an application security perspective, these changes are generally positive as they improve the flexibility, deployment, and monitoring capabilities of the application.

However, there are several areas that require careful review and validation to ensure the overall security of the system. These include the secure storage and management of sensitive credentials (such as database and Keycloak admin credentials), the proper configuration of authentication flows and execution steps, the secure handling of sensitive data, and the verification of the integrity and security of all dependencies. Additionally, the permissions and ownership of directories and files should be reviewed to prevent any unintended access or privilege escalation vulnerabilities.

Files Changed:

jans-linux-setup/jans_setup/templates/jans-saml/keycloak.conf:
- The database configuration has been updated to use variables instead of hardcoded values.
- The hostname setting has been changed from %(kc_hostname)s to %(keycloack_hostname)s, potentially fixing a typo.
- The http-port setting has been updated to use the %(idp_config_http_port)s variable.
- The configuration includes settings for health checks, metrics collection, proxy headers, and logging, which are important for observability and security monitoring.
jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py:
- The code sets up various Keycloak-related configurations, such as the admin realm, username, and password, as well as a client, user, and assigned roles for the "jans-api-user".
- The code configures a custom authentication flow and execution steps within the Keycloak realm.
- The code creates a user storage provider component within the Keycloak realm.
- The code generates and uses various sensitive values, such as client secrets, user passwords, and LDAP configuration data.
- The code downloads and extracts several JAR files and ZIP archives from various sources.
- The code sets the ownership and permissions of various directories and files.