Issue 9111

[shekhar16]

#9111
Changes to refactor requestedParties

[dryrunsecurity]

DryRun Security Summary

The code changes in this pull request focus on updating the configuration and management of the FIDO2 authentication system, including renaming various parameters, adjusting user auto-enrollment, and improving the handling of FIDO2 metadata, all aimed at enhancing the security and maintainability of the FIDO2 implementation.

Expand for full summary

Summary:

The code changes in this pull request focus on updating the configuration and management of the FIDO2 (Fast IDentity Online) authentication system. The key changes include renaming various configuration parameters, adjusting the handling of user auto-enrollment, and improving the management of FIDO2 metadata.

From an application security perspective, the changes appear to be focused on improving the security and maintainability of the FIDO2 implementation. The renaming of parameters, such as "requestedCredentialTypes" to "enabledFidoAlgorithms" and "requestedParties" to "rp" (Relying Party), suggests a more secure and standardized approach to managing the FIDO2 configuration. Additionally, the changes to the user auto-enrollment feature, where it is now marked as a "debug" feature, indicate a security-conscious decision to prevent potential unauthorized enrollment of users.

The changes also address the handling of FIDO2 metadata, including the management of metadata servers and the storage of metadata certificates in the database. These updates help to ensure the integrity and authenticity of the FIDO2 authentication process by properly verifying the metadata associated with registered authenticators.

Overall, the code changes in this pull request appear to be a positive step towards improving the security and maintainability of the FIDO2 implementation within the application.

Files Changed:

1. docs/admin/fido/logs.md: This file has been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters and the handling of user auto-enrollment and metadata service.
2. docs/admin/config-guide/fido2-config/janssen-fido2-configuration.md: Similar changes have been made to this file, focusing on the FIDO2 configuration and the management of metadata.
3. docs/admin/fido/config.md: This file has been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters and the handling of metadata service.
4. docs/admin/reference/json/properties/fido2-properties.md: This file has been updated to document the changes in the FIDO2 configuration properties, including logging, caching, and metadata management.
5. jans-cli-tui/cli_tui/plugins/020_fido/main.py: The changes in this file focus on the FIDO2 configuration management in the command-line interface and text-based user interface application.
6. jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/dynamiconf.json: This file has been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters and the handling of metadata servers.
7. jans-config-api/plugins/docs/fido2-plugin-swagger.yaml: This file has been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters and the handling of metadata service.
8. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/MetadataServer.java: This file has been updated to add a new property for certificate document IDs.
9. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/AttestationMode.java: This file has been updated to add support for the DISABLED, MONITOR, and ENFORCED attestation modes.
10. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java: This file has been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters and the handling of metadata service.
11. jans-fido2/model/src/main/java/io/jans/fido2/model/conf/RequestedParty.java: This file has been updated to rename the name field to id and the domains field to origins.
12. jans-fido2/server/src/main/java/io/jans/fido2/service/Fido2Service.java: This new class is responsible for managing the FIDO2 configuration.
13. `jans-fido2/server/src/main/java/io/jans/fido2/service

Code Analysis

We ran 9 analyzers against 24 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	8 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.