You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.
I confirm that there is no impact on the docs due to the code changes in this PR.
The pull request focuses on improving the security and reliability of the persistence layer across various Jans applications, including changes to remove hardcoded passwords, secure configuration management, simplify the persistence layer, enhance logging and monitoring, and ensure secure LDIF file handling.
Expand for full summary
Summary:
The code changes in this pull request focus on improving the security and reliability of the persistence layer across various Jans applications, including SAML, SCIM, Auth Server, and Configurator. The key changes include:
Removal of Hardcoded Passwords: The code now retrieves database passwords (Couchbase, SQL) from secure sources, such as environment variables or secrets management systems, instead of hardcoding them in the codebase. This reduces the risk of sensitive credential exposure.
Secure Configuration Management: The applications use environment variables and configuration managers to handle various settings, including persistence types, SSL/TLS certificates, and logging configurations. This approach promotes a more secure and maintainable configuration management process.
Persistence Layer Simplification: The changes remove support for certain persistence backends (e.g., Couchbase, SQL) in some applications, reducing the overall attack surface and complexity of the applications.
Improved Logging and Monitoring: The code includes updates to the logging configuration, allowing for better control and visibility of the applications' security-related events.
Secure LDIF File Handling: The applications import LDIF files for configuration and client data. Ensuring the integrity and security of these LDIF files is important to prevent the introduction of malicious data or unauthorized modifications.
Overall, the changes in this pull request appear to be focused on improving the security and maintainability of the Jans applications, particularly in the areas of credential management, configuration, and persistence layer setup. These changes are in line with application security best practices and should help strengthen the overall security posture of the applications.
Files Changed:
docker-jans-certmanager/scripts/bootstrap.py: The changes remove the synchronization of SQL and Couchbase passwords, keeping only the synchronization of Google Spanner credentials.
docker-jans-config-api/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords, and focus on rendering configuration properties, managing SSL/TLS certificates, and setting up the persistence layer.
docker-jans-casa/scripts/bootstrap.py: The changes manage various credentials and secrets, configure logging, and import LDIF files for the Jans Casa application.
docker-jans-auth-server/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords, and focus on improving the configuration and setup of the persistence layer.
docker-jans-configurator/scripts/bootstrap.py: The changes remove the support for Couchbase and SQL persistence backends, simplifying the application's persistence layer.
docker-jans-keycloak-link/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords, indicating a shift towards more secure password management.
docker-jans-fido2/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords and introduce logging configuration updates.
docker-jans-link/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords, suggesting a move towards more secure password management.
docker-jans-persistence-loader/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords and focus on improving the configuration and setup of the persistence layer.
docker-jans-saml/scripts/bootstrap.py: The changes remove the synchronization of Couchbase and SQL passwords, and focus on the configuration and setup of the SAML functionality.
docker-jans-scim/scripts/bootstrap.py: The changes remove the hardcoded passwords and focus on secure configuration management, certificate management, and SCIM client setup.
jans-pycloudlib/jans/pycloudlib/lock/__init__.py: The changes introduce a manager object to manage the lock functionality across different persistence backends.
jans-pycloudlib/jans/pycloudlib/lock/base_lock.py: The changes add an __init__ method to the BaseLock class to allow for the initialization of the manager attribute.
jans-pycloudlib/jans/pycloudlib/lock/spanner_lock.py: The changes update the constructor of the SpannerLock class to pass the manager parameter to the parent class.
`jans-pycloudlib/jans/pycloudlib/
Code Analysis
We ran 9 analyzers against 21 files and 1 analyzer had findings. 8 analyzers had no findings.
Error: Hi @iromli, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mo-auto
added
area-documentation
Prepare
Description
Target issue
closes #9711
Implementation Details
Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.Closes #9994,