ci(docker-jans-monolith): allow fqdn override

[moabu]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #8914

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Closes #8927,

[dryrunsecurity]

DryRun Security Summary

The GitHub Pull Request aims to expand the functionality of the Janssen Project, an open-source identity and access management (IAM) platform, by adding new services such as CASA, Keycloak Link, Link, SAML, and OPA, but it is crucial to carefully review the security implications of these new components to ensure they are properly configured, secured, and integrated into the overall application architecture without compromising the application's security posture.

Expand for full summary

Summary:

The changes in this GitHub Pull Request are focused on expanding the functionality of the Janssen Project, an open-source identity and access management (IAM) platform, by adding new services such as CASA (Contextual Authentication Service Adapter), Keycloak Link, Link, SAML, and OPA. While these additions can enhance the application's capabilities, it is crucial to carefully review the security implications of these new components.

From an application security perspective, the key areas of concern are the handling of sensitive configurations, such as hardcoded credentials and hostname changes, as well as the potential introduction of new attack surfaces with the addition of new services. It is important to ensure that these new components are properly configured, secured, and integrated into the overall application architecture without compromising the application's security posture.

Additionally, the presence of test-related environment variables and configurations suggests the existence of a separate test or development environment, which should also be reviewed to ensure that sensitive information is not inadvertently exposed or accessible in these non-production environments.

Files Changed:

1. docker-jans-monolith/scripts/entrypoint.sh:

   • The changes add new service start commands for CASA, Keycloak Link, and Link, indicating the expansion of Janssen's functionality.
   • It's important to review the configurations and security controls for these new services to ensure they are properly secured.
   • Sensitive environment variables, such as hostname, organization name, email, and database credentials, should be properly secured and not exposed in the codebase or deployment process.

2. docker-jans-monolith/jans-mysql-compose.yml and docker-jans-monolith/jans-postgres-compose.yml:

   • The changes remove the CN_HOSTNAME environment variable, which could impact the application's hostname-related functionality.
   • Several new environment variables are added to enable the installation of additional components, such as CASA, KC_LINK, LOCK, SAML, and OPA, which should be reviewed for potential security implications.
   • Hardcoded credentials, including admin passwords, test client secrets, and database credentials, are present in the configuration and should be managed more securely.
   • The database configuration, including the database name, user, and password, are all hardcoded, which could make it more difficult to manage and rotate these credentials in the future.

3. docker-jans-monolith/jans-ldap-compose.yml:

   • The CN_HOSTNAME environment variable has been commented out, indicating a potential change in the hostname or domain used for the application.
   • Several new environment variables enable additional services, such as CASA, KC Link, Lock, SAML, and OPA, which should be reviewed for security implications.
   • Hardcoded credentials, such as the CN_ADMIN_PASS and TEST_CLIENT_SECRET, are still present in the configuration.

Overall, the changes in this Pull Request focus on expanding the Janssen Project's functionality by adding new services. As an application security engineer, it is crucial to thoroughly review these changes to ensure that the new components are properly configured, secured, and integrated into the application without introducing any security vulnerabilities.

Code Analysis

We ran 7 analyzers against 4 files and 0 analyzers had findings. 7 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mo-auto]

Error: Hi @moabu, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.