Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow access to values stored in cache from templates #9194

Merged
merged 3 commits into from
Aug 15, 2024
Merged

feat: allow access to values stored in cache from templates #9194

merged 3 commits into from
Aug 15, 2024

Conversation

jgomer2001
Copy link
Contributor

Prepare

Description

Target issue

closes #9115

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 15, 2024
edited
Loading

DryRun Security Summary

The provided code changes focus on the Agama engine and its related components, introducing a new dependency on the jans-core-cache artifact, adding a CacheService dependency to the Page class, improving logging in the MethodInvoker class, and updating the documentation for the Agama framework's flow navigation, UI pages, and assets handling.

Expand for full summary

Summary:

The provided code changes cover several files in the Jans Auth Server project, primarily focused on the Agama engine and its related components. The changes introduce a new dependency on the jans-core-cache artifact, add a CacheService dependency to the Page class, improve logging in the MethodInvoker class, and update the documentation for the Agama framework's flow navigation, UI pages, and assets handling.

From an application security perspective, the changes do not appear to introduce any obvious security vulnerabilities. The addition of the CacheService dependency and the improvements to the MethodInvoker class are reasonable enhancements that can improve the application's performance and reliability. The documentation updates also provide valuable information for developers working with the Agama framework, including details on template security and user input handling.

However, it is important to thoroughly review the implementation of the CacheService and ensure that it does not introduce any security risks, such as improper handling of cached data or potential injection vulnerabilities. Additionally, the use of the 3-parameter variant of the RRF instruction, which can provide a callback URL, should be carefully reviewed to ensure that the callback URL is properly validated and secured to prevent potential open redirect or other attacks.

Overall, the changes in this pull request appear to be routine improvements and do not raise any immediate security concerns. As an application security engineer, I would recommend continuing to monitor the codebase and dependencies for any potential security issues, and to thoroughly test the application to ensure that the changes do not introduce any unintended consequences or vulnerabilities.

Files Changed:

  1. jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/page/Page.java:

    • Added a new dependency, CacheService, to the Page class.
    • Introduced a new static constant CACHE_KEY to store the key for accessing the CacheService instance in the dataModel map.
    • Updated the getDataModel() method to add the CacheService instance to the dataModel map.

  2. jans-auth-server/agama/engine/pom.xml:

    • Added a new dependency to the project, jans-core-cache from the io.jans group.

  3. jans-auth-server/agama/engine/src/main/java/io/jans/agama/engine/service/MethodInvoker.java:

    • Updated the log message in the candidateMethodEntries method to use the getName() method instead of getClass().getName() to get the class name.

  4. docs/admin/developer/agama/flows-navigation-ui.md:

    • Provided a detailed explanation of the Agama framework's flow navigation, UI pages, and assets handling.
    • Highlighted the importance of template security and user input handling.
    • Discussed the potential security implications of the 3-parameter variant of the RRF instruction, which can provide a callback URL.

Code Analysis

We ran 9 analyzers against 4 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-jans-auth-server Component affected by issue or PR comp-agama Touching folder /agama kind-feature Issue or PR is a new feature request labels Aug 15, 2024
@yurem yurem enabled auto-merge (squash) August 15, 2024 15:14
@moabu moabu changed the base branch from main to release-1.1.4 August 15, 2024 16:13
@moabu moabu merged commit 8d8abd4 into release-1.1.4 Aug 15, 2024
11 checks passed
@moabu moabu deleted the agama-issue_9115 branch August 15, 2024 16:13
moabu added a commit that referenced this pull request Aug 19, 2024
@moabu @yurem
@jgomer2001 @yuriyz @misba7
chore(release): release 1.1.4 (#9207)
de63432 
* chore(release): release 1.1.4

Signed-off-by: moabu <[email protected]>

* chore: update dockerbuilds

Signed-off-by: moabu <[email protected]>

* fix(jans-auth): sync test file profile with setup (#9196)

* feat: allow access to values stored in cache from templates (#9194)

* fix(jans-auth): fix test data (#9201)

* fix(jans-auth): fix test data #9201 (#9202)

* fix(jans-auth): sync test file profile with setup

Signed-off-by: Yuriy Movchan <[email protected]>

* fix(jans-auth): sync test file profile with setup

Signed-off-by: Yuriy Movchan <[email protected]>

* fix(jans-auth): sync test file profile with setup

Signed-off-by: Yuriy Movchan <[email protected]>

---------

Signed-off-by: Yuriy Movchan <[email protected]>

* fix(jans-auth-server): missed chain call in header filter (release 1.1.4) (#9206)

fix(jans-auth-server): missed chain call in header filter

Signed-off-by: YuriyZ <[email protected]>
Co-authored-by: Mohammad Abudayyeh <[email protected]>

* chore: update dockerbuilds

Signed-off-by: moabu <[email protected]>

* fix(jans-auth): fix test data (#9211)

* fix(jans-auth): sync test file profile with setup

Signed-off-by: Yuriy Movchan <[email protected]>

* fix(jans-auth): sync test file profile with setup

Signed-off-by: Yuriy Movchan <[email protected]>

* fix(jans-auth): sync test file profile with setup

Signed-off-by: Yuriy Movchan <[email protected]>

---------

Signed-off-by: Yuriy Movchan <[email protected]>

* docs(jans): fixing typos and wrong urls (#9210)

Signed-off-by: Amro Misbah <[email protected]>
Co-authored-by: Mohammad Abudayyeh <[email protected]>

---------

Signed-off-by: moabu <[email protected]>
Signed-off-by: Yuriy Movchan <[email protected]>
Signed-off-by: YuriyZ <[email protected]>
Signed-off-by: Amro Misbah <[email protected]>
Co-authored-by: Yuriy Movchan <[email protected]>
Co-authored-by: Jose Gonzalez <[email protected]>
Co-authored-by: YuriyZ <[email protected]>
Co-authored-by: Amro Misbah <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@yurem yurem yurem approved these changes

@moabu moabu moabu approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

Assignees
No one assigned
Labels
area-documentation Documentation needs to change as part of issue or PR comp-agama Touching folder /agama comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(agama): allow access to values stored in cache from templates
6 participants
@jgomer2001 @yuriyz @yurem @moabu @yuriyzz @mo-auto