From 54da578eb59e53a09915c0011f660ba85dd2ec03 Mon Sep 17 00:00:00 2001 From: iromli Date: Tue, 8 Feb 2022 02:11:39 +0700 Subject: [PATCH 1/2] fix(image): update fido2-server to address bad archive issue --- docker-jans-fido2/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-jans-fido2/Dockerfile b/docker-jans-fido2/Dockerfile index d0a49770787..e36f7507c3c 100644 --- a/docker-jans-fido2/Dockerfile +++ b/docker-jans-fido2/Dockerfile @@ -35,7 +35,7 @@ EXPOSE 8080 # ===== ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-01-25 05:48' +ENV CN_BUILD_DATE='2022-02-07 16:34' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-fido2-server/${CN_VERSION}/jans-fido2-server-${CN_VERSION}.war # Install FIDO2 From 4a358f6c79f90bd0f0191e167d975c21c2228558 Mon Sep 17 00:00:00 2001 From: iromli Date: Tue, 8 Feb 2022 02:13:03 +0700 Subject: [PATCH 2/2] fix(image): update jansConfDyn attribute --- .../scripts/upgrade.py | 92 +++++++++++++++++++ .../templates/jans-auth/dynamic-conf.json | 25 ++++- .../templates/jans-auth/dynamic-conf.ob.json | 26 +++++- 3 files changed, 135 insertions(+), 8 deletions(-) diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index a5554e6734c..b70de5f8ed5 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -1,4 +1,5 @@ import contextlib +import itertools import json import logging.config import os @@ -49,6 +50,48 @@ def __init__(self): #: ID of manager group JANS_MANAGER_GROUP = "inum=60B7,ou=groups,o=jans" +#: ID of jans-auth config +JANS_AUTH_CONFIG_ID = "ou=jans-auth,ou=configuration,o=jans" + + +def _transform_auth_dynamic_config(conf): + should_update = False + + if all([ + os.environ.get("CN_DISTRIBUTION", "default") == "openbanking", + "dcrAuthorizationWithMTLS" not in conf, + ]): + conf["dcrAuthorizationWithMTLS"] = False + should_update = True + + if "grantTypesAndResponseTypesAutofixEnabled" not in conf: + conf["grantTypesAndResponseTypesAutofixEnabled"] = False + should_update = True + + if "sessionIdEnabled" in conf: + conf.pop("sessionIdEnabled") + should_update = True + + # assert the authorizationRequestCustomAllowedParameters contains dict values instead of string + params_with_dict = list(itertools.takewhile( + lambda x: isinstance(x, dict), conf["authorizationRequestCustomAllowedParameters"] + )) + if not params_with_dict: + conf["authorizationRequestCustomAllowedParameters"] = list(map( + lambda p: {"paramName": p[0], "returnInResponse": p[1]}, + [ + ("customParam1", False), + ("customParam2", False), + ("customParam3", False), + ("customParam4", True), + ("customParam5", True), + ] + )) + should_update = True + + # return the conf and flag to determine whether it needs update or not + return conf, should_update + class LDAPBackend(BaseBackend): def __init__(self, manager): @@ -166,6 +209,17 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(JANS_BASE_ID, entry.attrs) + def update_auth_dynamic_config(self): + entry = self.get_entry(JANS_AUTH_CONFIG_ID) + if not entry: + return + + conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"])) + if should_update: + entry.attrs["jansConfDyn"] = json.dumps(conf) + entry.attrs["jansRevision"] += 1 + self.modify_entry(entry.id, entry.attrs) + class SQLBackend(BaseBackend): def __init__(self, manager): @@ -272,6 +326,18 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(id_, entry.attrs, **kwargs) + def update_auth_dynamic_config(self): + kwargs = {"table_name": "jansAppConf"} + entry = self.get_entry(doc_id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs) + if not entry: + return + + conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"])) + if should_update: + entry.attrs["jansConfDyn"] = json.dumps(conf) + entry.attrs["jansRevision"] += 1 + self.modify_entry(entry.id, entry.attrs, **kwargs) + class CouchbaseBackend(BaseBackend): def __init__(self, manager): @@ -439,6 +505,18 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(id_, entry.attrs, **kwargs) + def update_auth_dynamic_config(self): + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + entry = self.get_entry(id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs) + if not entry: + return + + conf, should_update = _transform_auth_dynamic_config(entry.attrs["jansConfDyn"]) + if should_update: + entry.attrs["jansConfDyn"] = conf + entry.attrs["jansRevision"] += 1 + self.modify_entry(entry.id, entry.attrs, **kwargs) + class SpannerBackend(BaseBackend): def __init__(self, manager): @@ -545,6 +623,18 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(id_, entry.attrs, **kwargs) + def update_auth_dynamic_config(self): + kwargs = {"table_name": "jansAppConf"} + entry = self.get_entry(doc_id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs) + if not entry: + return + + conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"])) + if should_update: + entry.attrs["jansConfDyn"] = json.dumps(conf) + entry.attrs["jansRevision"] += 1 + self.modify_entry(entry.id, entry.attrs, **kwargs) + class Upgrade: def __init__(self, manager): @@ -571,3 +661,5 @@ def invoke(self): if hasattr(self.backend, "update_misc"): self.backend.update_misc() + + self.backend.update_auth_dynamic_config() diff --git a/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.json b/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.json index feb7544dbcf..934d6fca96e 100644 --- a/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.json +++ b/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.json @@ -296,6 +296,7 @@ "invalidateSessionCookiesAfterAuthorizationFlow":false, "clientAuthenticationFiltersEnabled":false, "clientRegDefaultToCodeFlowWithRefresh": true, + "grantTypesAndResponseTypesAutofixEnabled": false, "authenticationFilters":[ { "filter":"(&(mail=*{0}*)(inum={1}))", @@ -320,7 +321,6 @@ ], "sessionIdUnusedLifetime":86400, "sessionIdUnauthenticatedUnusedLifetime":120, - "sessionIdEnabled":true, "changeSessionIdOnAuthentication":true, "returnClientSecretOnRead": true, "sessionIdPersistOnPromptNone":true, @@ -369,9 +369,26 @@ "httpLoggingExludePaths": [], "externalLoggerConfiguration": "", "authorizationRequestCustomAllowedParameters" : [ - "customParam1", - "customParam2", - "customParam3" + { + "paramName": "customParam1", + "returnInResponse": false + }, + { + "paramName": "customParam2", + "returnInResponse": false + }, + { + "paramName": "customParam3", + "returnInResponse": false + }, + { + "paramName": "customParam4", + "returnInResponse": true + }, + { + "paramName": "customParam5", + "returnInResponse": true + } ], "legacyDynamicRegistrationScopeParam": false, "openidScopeBackwardCompatibility": false, diff --git a/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.ob.json b/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.ob.json index 90ac0edabf1..d3d3c8d9bf2 100644 --- a/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.ob.json +++ b/docker-jans-persistence-loader/templates/jans-auth/dynamic-conf.ob.json @@ -209,6 +209,7 @@ "dcrSignatureValidationJwksUri": null, "dcrAuthorizationWithClientCredentials": false, "dcrSkipSignatureValidation": true, + "dcrAuthorizationWithMTLS": false, "softwareStatementValidationType": "script", "softwareStatementValidationClaimName": "jwks_uri", "dynamicRegistrationEnabled":true, @@ -227,13 +228,13 @@ "invalidateSessionCookiesAfterAuthorizationFlow":false, "clientAuthenticationFiltersEnabled":false, "clientRegDefaultToCodeFlowWithRefresh": true, + "grantTypesAndResponseTypesAutofixEnabled": false, "authenticationFilters":[ ], "clientAuthenticationFilters":[ ], "sessionIdUnusedLifetime":86400, "sessionIdUnauthenticatedUnusedLifetime":120, - "sessionIdEnabled":true, "changeSessionIdOnAuthentication":true, "returnClientSecretOnRead": true, "sessionIdPersistOnPromptNone":true, @@ -282,9 +283,26 @@ "httpLoggingExludePaths": [], "externalLoggerConfiguration": "", "authorizationRequestCustomAllowedParameters" : [ - "customParam1", - "customParam2", - "customParam3" + { + "paramName": "customParam1", + "returnInResponse": false + }, + { + "paramName": "customParam2", + "returnInResponse": false + }, + { + "paramName": "customParam3", + "returnInResponse": false + }, + { + "paramName": "customParam4", + "returnInResponse": true + }, + { + "paramName": "customParam5", + "returnInResponse": true + } ], "legacyDynamicRegistrationScopeParam": false, "openidScopeBackwardCompatibility": false,