Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn #8776 #8792

Merged
merged 47 commits into from
Jun 27, 2024

Conversation

uprightech
Copy link
Contributor

Closes #8776

* updated the keycloak configuration file to reflect the  configuration for the storage-spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
… persistence layer

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…8614

* added persistence manager configuration for protocol mapper

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
#8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
* added dependencies to protocol mapper
* added protocol mapper main class

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
* added relevant models to fetch user attributes
* refactored the db configuration classes

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
* created maven project for janssen spi bundle

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
* added dependencies xml

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
* added support for new protocol mapper in job scheduler
* fixed typo in application shutdown log message

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>


* added support for the protocol-mapper in job-scheduler configuration
* fixed issue in  job-scheduler logging configuration that caused too many log files to be created

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
* additions to the spi bundle pom file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>


* added protocol mapper implementation

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* added thin bridge spi provider
* added models for thin bridge provider

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* moved authenticator spi to spi module
* minor refactoring to the authenticator spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* moved authenticator rest service spi to spi module

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* added new storage provider implementation

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* added missing files to spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* added resource files to spi module

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* bump spi version to 1.1.3-SNAPSHOT
* removed protocol-mapper PoC from build modules

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* minor bugfix to scheduler. did not show fatal startup errors in log file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

*fix for fatal errors which don't still appear in the logs

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* further housekeeping in job-scheduler

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* fixed bug in user storage spi preventing authentication in new version of keycloak

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* removed reference to storage-spi module
* restored job-scheduler module in build pom

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* removed authenticator source as it was moved to spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

* fixes suggested by static analyser

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ation #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ion for ce and cn #8776

* marked jans  authenticator in the kc authentication flow ALTERNATIVE
* updated providerId for our custom user storage provider

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ion for ce and cn #8776

* bump keycloak version in setup to 25.0.1

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ion for ce and cn #8776

* removed references to scim client configuration reference (used by former user storage provider)

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ion for ce and cn #8776

* moved kc service configuration parameters from service file to keycloak configuration file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
…ion for ce and cn #8776

* added quarkus.properties
* minor change to keycloak service file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
Copy link

dryrunsecurity bot commented Jun 27, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Authn/Authz Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
Secrets Analyzer 0 findings
Server-Side Request Forgery Analyzer 0 findings
SQL Injection Analyzer 0 findings
Sensitive Files Analyzer 2 findings
IDOR Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover various updates and improvements to the Jans Keycloak integration and the associated infrastructure. The key changes include:

  1. Keycloak Version Upgrades: The code changes update the Keycloak version from 24.0.3 to 25.0.1 in multiple locations, including the pom.xml and app_info.json files. This is a positive security-related change, as newer versions of Keycloak often include security fixes and improvements.

  2. Keycloak Service Configuration: The changes in the kc.service systemd file simplify the Keycloak server startup process, but it's important to ensure that all necessary security-related settings are still being applied.

  3. Docker Image Updates: The changes in the Dockerfile for the docker-jans-saml project update the base Keycloak and Java runtime images to their latest versions, which is a good security practice. The Dockerfile also includes several security-conscious practices, such as using a non-root user and managing secrets.

  4. Authentication Configuration: The changes in the jans.execution-auth-jans.json and jans.userstorage-provider-component.json files modify the authentication and user storage provider configuration, which should be carefully reviewed to ensure that the changes do not introduce any security vulnerabilities.

  5. Quarkus Application Configuration: The change in the quarkus.properties file excludes the io.jans.** package from the Quarkus Arc system, which should be reviewed to ensure that it does not have any unintended consequences or impact the application's security.

  6. Keycloak Server Configuration: The changes in the keycloak.conf file focus on improving the overall configuration and deployment of the Keycloak server, including database connection, observability, HTTP settings, and logging. These changes are generally positive from a security perspective, but it's important to ensure that all configurations are properly secured.

Files Changed:

  • jans-keycloak-integration/pom.xml: Updates the Keycloak version from 24.0.3 to 25.0.1.
  • jans-linux-setup/jans_setup/app_info.json: Updates the Keycloak version from 24.0.3 to 25.0.1.
  • jans-linux-setup/jans_setup/static/system/systemd/kc.service: Simplifies the Keycloak server startup process.
  • docker-jans-saml/Dockerfile: Updates the base Keycloak and Java runtime images to their latest versions.
  • jans-linux-setup/jans_setup/templates/jans-saml/kc_jans_api/jans.execution-auth-jans.json: Changes the "requirement" field for an authentication flow.
  • jans-linux-setup/jans_setup/templates/jans-saml/kc_jans_api/jans.userstorage-provider-component.json: Updates the user storage provider component.
  • jans-linux-setup/jans_setup/templates/jans-saml/quarkus.properties: Excludes the io.jans.** package from the Quarkus Arc system.
  • jans-linux-setup/jans_setup/templates/jans-saml/keycloak.conf: Updates the Keycloak server configuration.

Powered by DryRun Security

Copy link

sonarcloud bot commented Jun 27, 2024

Copy link

sonarcloud bot commented Jun 27, 2024

Copy link

sonarcloud bot commented Jun 27, 2024

moabu
moabu previously approved these changes Jun 27, 2024
jans-linux-setup/jans_setup/app_info.json Show resolved Hide resolved
Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>
@moabu moabu merged commit db6bc71 into main Jun 27, 2024
9 checks passed
@moabu moabu deleted the issue_8776 branch June 27, 2024 08:51
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
…ion for ce and cn #8776 (#8792)

* fix(jans-linux-setup): improper scim configuration for jans kc #8210
* updated the keycloak configuration file to reflect the  configuration for the storage-spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* chore(jans-keycloak-integration): bump kc version to 24.0.0 #8315

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): keycloak protocol mapper

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): remove references to jans standalone persistence layer

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): experimental protocol mapper for kc #8614
* added persistence manager configuration for protocol mapper

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): added dependencies for protocol mapper #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): experimental protocol mapper  #8614
* added dependencies to protocol mapper
* added protocol mapper main class

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): experimental protocol mapper #8614
* added relevant models to fetch user attributes
* refactored the db configuration classes

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): janssen spi bundle  #8614
* created maven project for janssen spi bundle

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): janssen spi bundle #8614
* added dependencies xml

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to job-scheduler #8614
* added support for new protocol mapper in job scheduler
* fixed typo in application shutdown log message

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): keycloak integration enhancements  #8614
* added support for the protocol-mapper in job-scheduler configuration
* fixed issue in  job-scheduler logging configuration that caused too many log files to be created

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): spi bundle #8614
* additions to the spi bundle pom file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): keycloak integration enhancements #8614
* added protocol mapper implementation

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* added thin bridge spi provider
* added models for thin bridge provider

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* moved authenticator spi to spi module
* minor refactoring to the authenticator spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* moved authenticator rest service spi to spi module

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* added new storage provider implementation

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* added missing files to spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* added resource files to spi module

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* bump spi version to 1.1.3-SNAPSHOT
* removed protocol-mapper PoC from build modules

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* minor bugfix to scheduler. did not show fatal startup errors in log file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
*fix for fatal errors which don't still appear in the logs

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* further housekeeping in job-scheduler

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* fixed bug in user storage spi preventing authentication in new version of keycloak

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* have scheduler create saml clients with document and assertion signing as default configuration

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancement to jans-keycloak-integration #8614
* removed reference to protocol-mapper poc submodule

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* removed reference to storage-spi module
* restored job-scheduler module in build pom

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* removed authenticator source as it was moved to spi

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614
* fixes suggested by static analyser

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): enhancements to jans-keycloak-integration #8614

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn #8776
* marked jans  authenticator in the kc authentication flow ALTERNATIVE
* updated providerId for our custom user storage provider

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn #8776
* bump keycloak version in setup to 25.0.1

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn #8776
* removed references to scim client configuration reference (used by former user storage provider)

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn #8776
* moved kc service configuration parameters from service file to keycloak configuration file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn #8776
* added quarkus.properties
* minor change to keycloak service file

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>

* fix: adjust keycloak version

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>

---------

Signed-off-by: Rolain Djeumen <uprightech@gmail.com>
Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>
Co-authored-by: moabu <47318409+moabu@users.noreply.github.com>
Former-commit-id: db6bc71
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

feat(jans-keycloak-integration): update kc-saml integration installation for ce and cn
3 participants