fix(config-api): application status endpoint specification changes

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #10147

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request covers various updates to the Jans Config API, including enhancements to user management, health check implementation, custom script handling, and Swagger documentation, with a focus on improving functionality and security, but also highlighting areas that warrant further review and consideration, such as sensitive information handling, input validation, and custom script security.

Expand for full summary

Summary:

The changes in this pull request cover various updates to the Jans Config API, including enhancements to the user management functionality, health check implementation, custom script handling, and Swagger documentation. From an application security perspective, the changes generally introduce positive security practices, such as the use of OAuth2 authentication and authorization, input validation, and error handling. However, there are a few areas that warrant further review and consideration:

1. Sensitive Information Handling: The code changes include instances of logging and returning sensitive information, such as application version and service status. It's important to ensure that such sensitive data is properly sanitized and obfuscated before being logged or exposed.

2. Input Validation and Command Execution: The ApiHealthCheck and StatusCheckerTimer classes include methods that execute external commands or scripts based on user-supplied input. Thorough input validation should be implemented to prevent potential command injection vulnerabilities.

3. Custom Script Security: The changes related to custom scripts, including the new access_evaluation script type, should be carefully reviewed to ensure that the implementation and configuration of these scripts do not introduce any security vulnerabilities.

4. Hardcoded Paths: The use of hardcoded paths in the code can make the application less portable and potentially introduce security issues if the paths are not properly managed.

Overall, the changes in this pull request appear to be focused on improving the functionality and security of the Jans Config API. However, it's crucial to continue to monitor the implementation and conduct regular security assessments to ensure the application remains secure.

Files Changed:

1. jans-config-api/plugins/docs/user-mgt-plugin-swagger.yaml: The changes include updates to the Swagger documentation for the user management plugin, such as the addition of the UserPatchRequest schema and modifications to the CustomObjectAttribute schema. The changes emphasize the use of security best practices, such as OAuth2 authentication and authorization.

2. jans-config-api/server/src/main/java/io/jans/configapi/rest/health/ApiHealthCheck.java: The changes in this file focus on improving the health check functionality, including the addition of a security requirement for the getApplicationVersion method and the handling of database connection issues.

3. jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/CustomScriptResource.java: The changes in this file are related to the handling of custom scripts, including updates to the logic for file-based custom scripts and the management of the authentication method.

4. jans-config-api/server/src/main/java/io/jans/configapi/service/status/StatusCheckerTimer.java: The changes in this file update the getServiceStatus() method to return a JsonNode instead of a Map<String, String>. However, this method also includes potential security concerns related to command execution and input validation.

5. jans-config-api/docs/jans-config-api-swagger.yaml: The changes in this file update the Swagger documentation, including the addition of the JsonNode schema and the new access_evaluation script type. These changes should be reviewed to ensure that the new functionality is properly secured.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud