Merge branch 'main' into doc-stable-release-update

JanssenProject · Jan 16, 2025 · b3f2d7a · b3f2d7a
2 parents 08ee645 + 519c644
commit b3f2d7a
Show file tree

Hide file tree

Showing 27 changed files with 760 additions and 88 deletions.
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
@@ -307,6 +307,8 @@ jobs:
         overwrite: true
   build_demo_packages:
     if: github.repository == 'JanssenProject/jans'
+    # Needs cedarling wasm as jans-tarp uses the wasm package
+    needs: build_cedarling_wasm
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
@@ -326,6 +328,15 @@ jobs:
         for i in $(ls -d */); do zip -r demo-${i%/}-$VER-source.zip $i && sha256sum demo-${i%/}-$VER-source.zip > demo-${i%/}-$VER-source.zip.sha256sum; done
         sudo rm demo-jans-tarp-$VER-source.zip demo-jans-tarp-$VER-source.zip.sha256sum
         cd jans-tarp
+        # Get the latest cedarling wasm package
+        TAG=$(echo ${{ github.event.ref }} | cut -d '/' -f 3 | sed 's/^v//')
+        if [ "${TAG}" == "nightly" ]; then
+          TAG="0.0.0"
+        fi
+        wget https://github.com/${{ github.repository }}/releases/download/"${VER}"/cedarling_wasm_"${TAG}"_pkg.tar.gz -O cedarling_wasm.tar.gz
+        mkdir wasm
+        tar -xvf cedarling_wasm.tar.gz -C wasm
+        # END Get the latest cedarling wasm package
         npm install
         npm run build
         npm run pack
@@ -380,4 +391,48 @@ jobs:
         gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl || echo "Failed to sign"
         gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl || echo "Failed to sign"
         echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
-        gh release upload "${VERSION}" *.whl *.sha256sum *.asc
+        gh release upload "${VERSION}" *.whl *.sha256sum *.asc
+  build_cedarling_wasm:
+    if: github.repository == 'JanssenProject/jans'
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      with:
+        egress-policy: audit
+
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Import GPG key
+      id: import_gpg
+      continue-on-error: true
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+      with:
+        gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
+        git_user_signingkey: true
+        git_commit_gpgsign: true
+    - name: Build WASM build
+      id: sign-cedarling
+      working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_wasm
+      run: |
+        rustup update stable && rustup default stable
+        cargo install wasm-pack
+        wasm-pack build --release --target web
+        ls pkg
+    - name: Archive and sign pkg contents
+      id: archive_pkg
+      working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_wasm
+      run: |
+        TAG=$(echo ${{ github.event.ref }} | cut -d '/' -f 3 | sed 's/^v//')
+        VERSION="$(echo ${{ github.event.ref }} | cut -d '/' -f 3)"
+        if [ "${TAG}" == "nightly" ]; then
+          VERSION=nightly
+          TAG="0.0.0"
+        fi
+        rm -rf pkg/.gitignore || echo "Failed to remove gitignore"
+        tar -czvf cedarling_wasm_"${TAG}"_pkg.tar.gz -C pkg .
+        sha256sum cedarling_wasm_"${TAG}"_pkg.tar.gz > cedarling_wasm_"${TAG}"_pkg.tar.gz.sha256sum
+        gpg --armor --detach-sign cedarling_wasm_"${TAG}"_pkg.tar.gz || echo "Failed to sign"
+        echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
+        gh release upload "${VERSION}" *.tar.gz *.sha256sum *.asc
diff --git a/docs/cedarling/cedarling-policy-store.md b/docs/cedarling/cedarling-policy-store.md
@@ -178,16 +178,18 @@ This record contains the information needed to validate tokens from this issuer:
 - **description** : (*String*) A brief description of the trusted issuer, providing context for administrators.
 - **openid_configuration_endpoint** : (*String*) The HTTPS URL for the OpenID Connect configuration endpoint (usually found at `/.well-known/openid-configuration`).
 - **identity_source** : (*Object*, *optional*) Metadata related to the tokens issued by this issuer.
-- **`access_tokens`, `id_tokens`, `userinfo_tokens`, and `tx_tokens`**: See: [Token Metadata Schema](#token-metadata-schema).
+
+**Notes**:
+
+- The `access_tokens`, `id_tokens`, `userinfo_tokens`, and `tx_tokens` fields will follow the [Token Metadata Schema](#token-metadata-schema).
+- The `access_tokens` will contain a `trusted` and `principal_identifier` field in addition to the fields from the `Token Metadata Schema`.
 
 ### Token Metadata Schema
 
 The Token Entity Metadata Schema defines how tokens are mapped, parsed, and transformed within Cedarling. It allows you to specify how to extract user IDs, roles, and other claims from a token using customizable parsers.
 
 ```json
 {
-  "trusted": bool,
-  "principal_identifier": "str",
   "user_id": "<field name in token (e.g., 'email', 'sub', 'uid', etc.) or '' if not used>",
   "role_mapping": "<field for role assignment (e.g., 'role', 'memberOf', etc.) or '' if not used>",
   "claim_mapping": {

diff --git a/docs/cedarling/python/sidecar.md b/docs/cedarling/python/sidecar.md
@@ -14,7 +14,7 @@ The sidecar is a containerized Flask project that uses the `cedarling_python` bi
 - Ensure that you have installed [docker](https://docs.docker.com/engine/install/) and [docker compose](https://docs.docker.com/compose/install/). 
 - Clone the [Janssen](https://github.com/JanssenProject/jans) repository
 - Navigate to `jans/jans-cedarling/flask-sidecar`
-- Edit the provided `secrets/bootstrap.json` file to your specifications. The configuration keys are described [here](https://github.com/JanssenProject/jans/blob/ffe9f493e4a5c6b05f2adeeb8a6eba7eb83b103e/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi#L9). 
+- Edit the provided `secrets/bootstrap.json` file to your specifications. The configuration keys are described [here](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi#L10). 
 - Run `docker compose up`
   - For cloud deployments, please use the provided Dockerfile and pass your bootstrap configuration via the environment variable `CEDARLING_BOOTSTRAP_CONFIG_FILE`.
 - The sidecar runs on port 5000. OpenAPI documentation is available at `http://0.0.0.0:5000/swagger-ui`
@@ -28,8 +28,13 @@ Example request to the evaluation endpoint:
 ```
 {
 	"subject": {
-		"type": "string",
-		"id": "string"
+		"type": "JWT",
+		"id": "cedarling",
+		"properties": {
+			"access_token": "",
+			"id_token": "",
+			"userinfo_token": ""
+		}
 	},
 	"resource": {
 		"type": "Jans::Application",
@@ -48,9 +53,6 @@ Example request to the evaluation endpoint:
 		"name": "Jans::Action::\"Read\""
 	},
 	"context": {
-		"access_token": "...",
-		"id_token": "...",
-		"userinfo_token": "...",
 		"device_health": [
 			"Healthy"
 		],

diff --git a/docs/script-catalog/consent_gathering/sample-script/ConsentGatheringSample.py b/docs/script-catalog/consent_gathering/sample-script/ConsentGatheringSample.py
@@ -30,7 +30,7 @@ def destroy(self, configurationAttributes):
         return True
 
     def getApiVersion(self):
-        return 1
+        return 11
 
     # Main consent-gather method. Must return True (if gathering performed successfully) or False (if fail).
     # All user entered values can be access via Map<String, String> context.getPageAttributes()

diff --git a/jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/SelectAccountHttpTest.java b/jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/SelectAccountHttpTest.java
@@ -20,7 +20,6 @@
 import io.jans.as.model.jwt.JwtHeaderName;
 import org.apache.logging.log4j.util.Strings;
 import org.json.JSONArray;
-import org.openqa.selenium.htmlunit.HtmlUnitDriver;
 import org.testng.annotations.AfterTest;
 import org.testng.annotations.BeforeTest;
 import org.testng.annotations.Parameters;
@@ -42,7 +41,7 @@ public class SelectAccountHttpTest extends BaseTest {
 
     @BeforeTest
     public void setUp() {
-        driver = new HtmlUnitDriver(true);
+        startSelenium();
         pageConfig = newPageConfig(driver);
     }
 

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeAction.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeAction.java
@@ -989,6 +989,20 @@ public String getClientDisplayName() {
         }
 
         final Client client = clientService.getClient(clientId);
+        return getCheckedClientDisplayName(client);
+    }
+
+    public String getClientDisplayName(final Client client) {
+        log.trace("client {}", client);
+
+        if (client == null) {
+        	getClientDisplayName();
+        }
+
+        return getCheckedClientDisplayName(client);
+    }
+
+	private String getCheckedClientDisplayName(final Client client) {
         if (StringUtils.isNotBlank(client.getClientName())) {
             return client.getClientName();
         }
@@ -998,7 +1012,7 @@ public String getClientDisplayName() {
         }
 
         return "Unknown";
-    }
+	}
 
     public String getAuthReqId() {
         return authReqId;

diff --git a/...-auth-server/server/src/main/webapp/WEB-INF/incl/layout/authorize-extended-template.xhtml b/...-auth-server/server/src/main/webapp/WEB-INF/incl/layout/authorize-extended-template.xhtml
@@ -46,7 +46,7 @@
 							<h:outputFormat
 								value="#{msgs['authorize.requestingPermissionForScopes']}">
 								<f:param
-									value="#{authorizeAction.clientDisplayName}" />
+									value="#{authorizeAction.getClientDisplayName(client)}" />
 							</h:outputFormat>
 						</p>
 					</h3>

diff --git a/jans-cedarling/flask-sidecar/Dockerfile b/jans-cedarling/flask-sidecar/Dockerfile
@@ -51,26 +51,27 @@ RUN git clone --filter blob:none --no-checkout https://github.com/JanssenProject
         && git sparse-checkout set jans-cedarling \
         && cd jans-cedarling/bindings/cedarling_python \
         && cp -r ../../flask-sidecar/* /api \
-        && version=$(sed -n 's/.*version = "\(.*\)"/\1/p' pyproject.toml) \
+        && version=$(sed -n 's/.*version = "\([0-9].[0-9].[0-9]\)"/\1/p' Cargo.toml) \
         && echo "${version}" > /api/cedarling_version \
         && release_version="${version}" \
         && if [ "$version" = "0.0.0" ]; then release_version="nightly"; fi \
-        && wget -q https://github.com/JanssenProject/jans/releases/download/"${release_version}"/cedarling_python-"${version}"-cp310-cp310-manylinux_2_34_x86_64.whl -O /api/cedarling_python-"${version}"-cp310-cp310-manylinux_2_34_x86_64.whl \
+        && wget -q https://github.com/JanssenProject/jans/releases/download/"${release_version}"/cedarling_python-"${version}"-cp310-cp310-manylinux_2_31_x86_64.whl -O /api/cedarling_python-"${version}"-cp310-cp310-manylinux_2_31_x86_64.whl \
         && rm -rf /tmp/jans
 
 # Setting up proper permissions:
 RUN chmod -R g=u /api \
     && chown -R 1000:1000 /api
 
 # Project initialization:
-RUN poetry add /api/cedarling_python-$(cat /api/cedarling_version)-cp310-cp310-manylinux_2_34_x86_64.whl \
+RUN poetry add /api/cedarling_python-$(cat /api/cedarling_version)-cp310-cp310-manylinux_2_31_x86_64.whl \
     && poetry install --no-dev --no-root --no-interaction --no-ansi \
     # Cleaning poetry installation's cache for production:
     && rm -rf "$POETRY_CACHE_DIR"
 
 ENV FLASK_APP=main.core:app \
     GUNICORN_LOG_LEVEL=${GUNICORN_LOG_LEVEL:-debug} \
-    CEDARLING_BOOTSTRAP_CONFIG_FILE=${CEDARLING_BOOTSTRAP_CONFIG_FILE:-/api/bootstrap.json}
+    CEDARLING_BOOTSTRAP_CONFIG_FILE=${CEDARLING_BOOTSTRAP_CONFIG_FILE:-/api/bootstrap.json} \
+    SIDECAR_DEBUG_RESPOSE=${SIDECAR_DEBUG_RESPONSE:-False}
 
 EXPOSE 5000
 LABEL org.opencontainers.image.url="ghcr.io/janssenproject/jans/cedarling-flask-sidecar" \

diff --git a/jans-cedarling/flask-sidecar/README.md b/jans-cedarling/flask-sidecar/README.md
@@ -7,18 +7,44 @@ This is a Flask API that implements the [AuthZen](https://openid.github.io/authz
 To run the API:
 
 - Install [poetry](https://python-poetry.org/docs/#installation)
-- Clone the [Janssen](https://github.com/JanssenProject/jans) repository
+- Clone the [Janssen](https://github.com/JanssenProject/jans) repository:
+    ```
+    git clone --filter blob:none --no-checkout https://github.com/JanssenProject/jans
+    ```
+    ```
+    cd jans
+    ```
     ```
-    git clone --filter blob:none --no-checkout https://github.com/JanssenProject/jans /tmp/jans \
-        && cd /tmp/jans \
-        && git sparse-checkout init --cone \
-        && git checkout main \
-        && git sparse-checkout set jans-cedarling
+    git sparse-checkout init --cone
+    ```
+    ```
+    git checkout main
+    ```
+
     ```
-- Navigate to `jans/jans-cedarling/flask-sidecar/main`
+    git sparse-checkout set jans-cedarling
+    ```
+- Navigate to `jans-cedarling/flask-sidecar`
 - Run `poetry install` to install dependencies
+- Navigate to `main/`
 - Run `poetry run flask run` to run the API on `http://127.0.0.1:5000` 
 
+## Configuration
+
+For running via poetry, the sidecar supports the following environment variables:
+
+| Variable name | Default value | Supported value(s) |
+| ------------- | ------------- | ------------------ |
+| APP_MODE | testing | development, testing, production |
+| CEDARLING_BOOTSTRAP_CONFIG_FILE | None | Path to your configuration |
+| SIDECAR_DEBUG_RESPONSE | False | True, False |
+
+- Navigate to `jans/jans-cedarling/flask-sidecar/main` and create a file named `.env`
+- Set environment variables like so:
+```
+APP_MODE=development
+```
+
 ## Tests
 
 Not yet implemented
@@ -28,6 +54,13 @@ Not yet implemented
 - Clone the [Janssen](https://github.com/JanssenProject/jans) repository
 - Navigate to `jans/jans-cedarling/flask-sidecar/`
 - Modify the `secrets/bootstrap.json` file to your specifications. Configuration values are described [here](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi).
+    - The default configuration expects you to provide a URL to a policy store file via `CEDARLING_POLICY_STORE_URI`. If you want to use a local policy store via `CEDARLING_POLICY_STORE_FN`, you need to mount it inside the docker image. Place your policy store file in the `secrets` folder and edit the Dockerfile at line 46 to add this line:
+
+    ```
+    ...
+    COPY --chown=1000:1000 ./secrets/<policy store file>.json /api/
+    ...
+    ```
 - Run `docker compose up`
 - The service is running on `http://0.0.0.0:5000`. OpenAPI documentation is available at `/swagger-ui`
 

diff --git a/jans-cedarling/flask-sidecar/docker-compose.yml b/jans-cedarling/flask-sidecar/docker-compose.yml
@@ -9,6 +9,7 @@ services:
       - FLASK_APP=main.core:app
       - APP_MODE=${APP_MODE:-development}
       - CEDARLING_BOOTSTRAP_CONFIG_FILE=/run/secrets/cedarling_bootstrap_config_file
+      - SIDECAR_DEBUG_RESPOSE={SIDECAR_DEBUG_RESPOSE:-False}
     secrets:
       - cedarling_bootstrap_config_file
 secrets:

diff --git a/jans-cedarling/flask-sidecar/main/app.py b/jans-cedarling/flask-sidecar/main/app.py
@@ -1,3 +1,19 @@
+"""
+Copyright (c) 2025, Gluu, Inc. 
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+"""
+
 from flask import Flask
 from main.config import ConfigLoader, get_instance_path
 from main.extensions import api, cors, cedarling