Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable missing services in docker monolith #8915

Merged
merged 1 commit into from
Jul 9, 2024
Merged

feat: enable missing services in docker monolith #8915

merged 1 commit into from
Jul 9, 2024

Conversation

moabu
Copy link
Member

@moabu moabu commented Jul 9, 2024
edited by mo-auto
Loading

Prepare

Description

Target issue

closes #8914

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

Closes #8923,

@moabu
feat: enable missing services in docker monolith
6ed0461 
Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>
@moabu moabu requested a review from iromli as a code owner July 9, 2024 11:43
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 9, 2024
edited
Loading

DryRun Security Summary

The pull request includes changes related to the installation and configuration of the Janssen authorization server, including the addition of support for new components, setup of a test client configuration, and handling of sensitive information such as passwords and credentials, with security considerations around the installation process, certificate management, test data, and logging.

Expand for full summary

Summary:

The code changes in this pull request are related to the installation and configuration of the Janssen (Jans) authorization server. The key changes include the addition of support for installing new components such as CASA, Keycloak Link, Jans Link, Jans Lock, Jans SAML, and OPA, as well as the setup of a test client configuration.

From an application security perspective, there are several important points to consider. First, the code handles sensitive information such as admin passwords, LDAP passwords, and database credentials, which must be properly secured and not exposed in the environment or logs. Second, the installation process involves downloading and executing a script from a remote GitHub repository, so the source of this script should be trusted, and the download process should be secure. Third, the code includes steps for certificate management, which is crucial for secure communication. Fourth, the test data and profiles prepared by the code should not contain any sensitive or production-like data that could be misused. Finally, the logging process should be reviewed to ensure that it does not contain any sensitive information.

Files Changed:

  1. docker-jans-monolith/scripts/entrypoint.sh:

    • Supports the installation of additional components such as CASA, Keycloak Link, Jans Link, Jans Lock, Jans SAML, and OPA.
    • Sets up the configuration for a test client, including the client ID, client secret, and whether the client is trusted or not.
    • Handles sensitive information such as admin passwords, LDAP passwords, and database credentials.
    • Downloads and executes a script from a remote GitHub repository.
    • Registers an FQDN with Certbot and installs the Janssen server's SSL/TLS certificate in the local Java keystore.
    • Prepares test data and profiles for the Janssen auth server.
    • Sets up logging for various Janssen components.

  2. docker-jans-monolith/Dockerfile:

    • Introduces the installation of several new components, including CASA, KC Link, Link, Lock, SAML, and OPA.
    • Sets various environment variables that may contain sensitive information, such as admin passwords and test client credentials.
    • Sets the database-related environment variables, which should be properly secured to prevent potential SQL injection vulnerabilities.
    • Includes a healthcheck command that should be reviewed to ensure it does not expose any sensitive information or introduce any security vulnerabilities.
    • Exposes ports 443, 8080, and 1636, which should be properly secured and access to them should be restricted.
    • Includes commands to set the permissions and ownership of various files and directories, which should be reviewed for security implications.
    • Installs various dependencies, which should be kept up-to-date and free of known vulnerabilities.

Code Analysis

We ran 7 analyzers against 2 files and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@moabu moabu merged commit 4de98cc into main Jul 9, 2024
9 checks passed
@moabu moabu deleted the feat-8914 branch July 9, 2024 11:43
@mo-auto mo-auto added the kind-feature Issue or PR is a new feature request label Jul 9, 2024
@mo-auto
Copy link
Member

mo-auto commented Jul 9, 2024

Error: Hi @moabu, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.

@mo-auto mo-auto mentioned this pull request Jul 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iromli iromli Awaiting requested review from iromli iromli is a code owner

Assignees
No one assigned
Labels
kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
2 participants
@moabu @mo-auto