fix(jans-linux-setup): KC setup - providerId UserStorageProvider

[devrimyatar]

Closes #8879

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Authn/Authz Analyzer	❕	3 findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes focus on the integration of the Keycloak Identity Provider (IDP) with the Jans SAML application. The changes involve updating the configuration files for the user storage provider component and the installation and configuration of the Keycloak server and its integration with the Jans API.

From an application security perspective, the changes do not appear to introduce any immediate security concerns. However, it is important to ensure that the configurations are properly secured and that sensitive information, such as client IDs, client secrets, and user passwords, are not stored in plain text. Additionally, the permissions and roles assigned to the jans-api-user should be reviewed to ensure they are appropriate for the application's use case.

Files Changed:

1. jans-linux-setup/jans_setup/templates/jans-saml/kc_jans_api/jans.userstorage-provider-component.json:

   • The change updates the parentId field from ${jans_idp_realm} to ${jans_idp_realm_id}, suggesting a change in the way the parent ID of the user storage provider component is determined.
   • It is important to ensure that the ${jans_idp_realm_id} variable is properly defined and secured to prevent potential security issues, such as SQL injection vulnerabilities.

2. jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py:

   • The changes are focused on the installation and configuration of the Keycloak IDP integration with the Jans SAML application.
   • The code handles sensitive information, such as client IDs, client secrets, and user passwords, which should be properly secured and not stored in plain text.
   • The code uses the kcadm.sh command-line tool to interact with the Keycloak server, and it is important to ensure that the tool is properly secured and that the user running the script has the necessary permissions.
   • The code creates a new Keycloak realm and configures various authentication flows and executions, which should be reviewed to ensure they are secure and meet the application's security requirements.
   • The code creates a new Keycloak client and assigns various roles to the jans-api-user, and the assigned roles should be reviewed to ensure they are appropriate for the application's use case.
   • The code uses the Config object to store various configuration values, and it is important to ensure that these values are properly secured and not exposed in the application's logs or other outputs.

Powered by DryRun Security

[sonarcloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud