Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 9111 #9276

Merged
merged 4 commits into from
Aug 27, 2024
Merged

Issue 9111 #9276

merged 4 commits into from
Aug 27, 2024

Conversation

shekhar16
Copy link
Contributor

#9111
Changes to refactor some fields.
added metadataRefreshInterval,and restructure metadaServers.

@shekhar16
feat(jans-fido): refactor mds3 codebase and server config
f9c913d 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@shekhar16
feat(jans-fido): revert rename from docker file #9111
d789e9f 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@shekhar16
feat(jans-fido): add metadatarefreshinterval #9111
146f4a7 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@shekhar16
feat(jans-fido): changes to refactor metadataservers #9111
60fe227 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 26, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on improving the security and configurability of the FIDO2 (Fast Identity Online) implementation in the Janssen application, including renaming configuration parameters, adjusting user auto-enrollment, and enhancing the management of metadata servers and certificates.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on improving the security and configurability of the FIDO2 (Fast Identity Online) implementation in the Janssen application. The changes include renaming configuration parameters, adjusting the handling of user auto-enrollment, and enhancing the management of metadata servers and certificates.

Key security-related changes include:

  1. Renaming the "requestedCredentialTypes" parameter to "enabledFidoAlgorithms" to provide more granular control over the supported FIDO algorithms.
  2. Changing the "userAutoEnrollment" parameter to "debugUserAutoEnrollment", indicating that the auto-enrollment feature is now intended for debugging purposes only.
  3. Introducing the ability to configure multiple metadata servers and manage their associated certificates, improving the resilience and security of the metadata handling process.
  4. Implementing checks to ensure that only the enabled FIDO algorithms are used for authentication, and that the downloaded metadata blobs are from trusted sources.

Overall, the changes in this pull request appear to be focused on enhancing the security and configurability of the FIDO2 implementation, which is a critical component for user authentication in the Janssen application. The changes should be thoroughly reviewed and tested to ensure that they do not introduce any unintended security vulnerabilities.

Files Changed:

  1. docs/admin/fido/logs.md: Updates the configuration parameters related to FIDO2 algorithms and user auto-enrollment.
  2. docs/admin/fido/config.md: Modifies the FIDO2 configuration parameters, including disabling the Metadata Service and skipping MDS validation.
  3. docs/admin/reference/json/properties/fido2-properties.md: Documents the changes to the FIDO2 configuration parameters.
  4. docs/admin/config-guide/fido2-config/janssen-fido2-configuration.md: Describes the updates to the FIDO2 configuration, including the changes to user auto-enrollment and metadata service.
  5. jans-config-api/plugins/docs/fido2-plugin-swagger.yaml: Updates the OpenAPI specification for the FIDO2 plugin, reflecting the changes to the configuration parameters.
  6. jans-cli-tui/cli_tui/plugins/020_fido/main.py: Modifies the FIDO2 configuration options in the CLI TUI application.
  7. jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/dynamiconf.json: Updates the FIDO2 configuration in the test resources.
  8. jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/fido2.json: Modifies the FIDO2 configuration in the test resources.
  9. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/AttestationMode.java: Introduces the AttestationMode enum to represent the different modes of attestation for FIDO2.
  10. jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/ref_dynami_conf.json: Updates the FIDO2 configuration in the test resources.
  11. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java: Modifies the FIDO2 configuration model, including changes to user auto-enrollment and metadata service.
  12. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/MetadataServer.java: Introduces a new class to represent a metadata server configuration.
  13. jans-fido2/server/src/main/java/io/jans/fido2/service/Fido2Service.java: Updates the FIDO2 configuration management service.
  14. jans-fido2/server/src/main/java/io/jans/fido2/service/mds/FetchMdsProviderService.java: Modifies the logic for fetching metadata from the MDS provider.
  15. `jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AssertionService

Code Analysis

We ran 9 analyzers against 23 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 8 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@shekhar16 shekhar16 mentioned this pull request Aug 26, 2024
Closed
@yurem yurem merged commit 6ae6aa3 into passkeys-project Aug 27, 2024
11 checks passed
@yurem yurem deleted the issue_9111 branch August 27, 2024 14:04
moabu pushed a commit that referenced this pull request Nov 7, 2024
@shekhar16 @moabu
Issue 9111 (#9276)
2eef0ff 
* feat(jans-fido): refactor mds3 codebase and server config

Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>

* feat(jans-fido): revert rename from docker file #9111

Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>

* feat(jans-fido): add metadatarefreshinterval #9111

Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>

* feat(jans-fido): changes to refactor metadataservers #9111

Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>

---------

Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem yurem approved these changes

@devrimyatar devrimyatar Awaiting requested review from devrimyatar devrimyatar is a code owner

@yuriyz yuriyz Awaiting requested review from yuriyz yuriyz is a code owner

@yuriyzz yuriyzz Awaiting requested review from yuriyzz yuriyzz is a code owner

@pujavs pujavs Awaiting requested review from pujavs pujavs is a code owner

@yackermann yackermann Awaiting requested review from yackermann yackermann is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shekhar16 @yurem