fix(config-ap): lock audit endpoint parameter declaration error#9460

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9460

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes involve updates to the Jans Config API's Lock plugin, including modifications to the input parameters for some of the API endpoints related to lock audit functionality, and updates to the visibility and editability of attributes in the application.

Expand for full summary

Summary:

The provided code changes involve updates to the Jans Config API's Lock plugin, including modifications to the input parameters for some of the API endpoints related to lock audit functionality. The changes move the eventStartDate and eventEndDate parameters from the path to the query parameters, which is a common practice to improve the flexibility and maintainability of the API. From an application security perspective, these changes do not introduce any obvious security concerns, as the API endpoints are already protected by OAuth2 security, and the input parameters are standard date-time values in ISO8601 format.

However, it's worth reviewing the overall API design and implementation to ensure that proper input validation, authorization, and error handling are in place to mitigate potential security risks. Additionally, the changes in the AuditResource class appear to be focused on improving the robustness and error handling of the date range filtering functionality, which is a positive step from an application security perspective.

Another change involves updating the visibility and editability of attributes in the application, which could impact the access control and authorization mechanisms. It's important to ensure that these changes align with the security requirements and policies of the application and that they don't introduce any unintended security vulnerabilities.

Files Changed:

1. jans-config-api/plugins/docs/lock-plugin-swagger.yaml:

   • The changes update the input parameters for the /lock/audit/health/{eventStartDate}-{eventEndDate}, /lock/audit/log/{eventStartDate}-{eventEndDate}, and /lock/audit/telemetry/{eventStartDate}-{eventEndDate} endpoints, moving the eventStartDate and eventEndDate parameters from the path to the query parameters.

2. jans-config-api/plugins/lock-plugin/src/main/java/io/jans/configapi/plugin/lock/rest/AuditResource.java:

   • The changes include the use of checkNotNull() and checkResourceNotNull() methods to handle cases where the event start or end date is null or cannot be parsed.
   • The event start and end dates are now passed as query parameters instead of as path parameters.
   • The code consistently uses the auditService.getDnForHealthEntry(), auditService.getDnForLogEntry(), and auditService.getDnForTelemetryEntry() methods to decode the event start and end dates.

3. jans-config-api/docs/jans-config-api-swagger.yaml:

   • The changes update the whitePagesCanView, userCanView, userCanEdit, adminCanView, and adminCanEdit properties of the JansAttribute schema, which control the visibility and editability of attributes in the application.

Code Analysis

We ran 9 analyzers against 3 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[dryrunsecurity]

DryRun Security Summary

We are currently analyzing this pull request to produce a meaningful summary.

Code Analysis

We ran 9 analyzers against 3 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarcloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud