docs: default acr script validation

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #8707

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Server-Side Request Forgery Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the configuration and management of the default authentication method and custom scripts in the Janssen Server. From an application security perspective, the changes introduce several security-relevant features, such as validation of the availability and active status of the authentication method, clear error handling, and documented authentication method selection flow. Additionally, the ability to manage custom scripts through a command-line interface (CLI) provides flexibility, but also introduces potential security risks that should be carefully considered.

The key security considerations include: ensuring that only valid and active authentication methods are used as the default, reviewing the code of custom scripts to mitigate vulnerabilities, carefully managing the configuration properties of custom scripts to prevent misconfigurations or unintended access to sensitive data, and implementing strict access controls and secure deployment practices to prevent unauthorized modifications to the custom scripts. Overall, the changes appear to be focused on improving the security and reliability of the Janssen Server's authentication and custom script management functionality.

Files Changed:

1. docs/admin/config-guide/default-authentication-method-config.md:

   • This file covers the configuration of the default authentication method in the Janssen Server, including the availability validation, error handling, and authentication method selection flow.
   • The changes highlight the security-focused aspects of the default authentication method configuration, such as the availability check and the clear error messaging.
   • The documented authentication method selection flow helps in understanding the server's behavior and ensures a well-defined and consistent authentication process.

2. docs/admin/config-guide/custom-scripts-config.md:

   • This file covers the management of custom scripts in the Janssen application, including the addition, updating, retrieval, and deletion of scripts through a command-line interface (CLI).
   • The security considerations include the potential impact of modifying or removing default authentication scripts, the risks associated with the supported scripting languages (Python and JavaScript), the various script types and their security implications, the management of configuration properties, and the potential for privilege escalation through the CLI.
   • Administrators should carefully review and validate the custom scripts, ensure appropriate security measures are in place, and implement strict access controls and secure deployment practices.

Powered by DryRun Security

[ossdhaval]

@pujavs if it is removed, what will be the fallback default authentication? Can AS live without any default authn method defined?

[pujavs]

@yuriyz, my understanding that AS can live without explicit setting of default auth method, request your confirmation and advice.

[yuriyz]

Yes, if nothing works, and no scripts then AS will fallback to "simple_password_auth".