Merge branch 'main' into jans-cedarling-10554

.github/workflows/build-nightly-build.yml

@@ -2,6 +2,11 @@ name: Activate Nightly Build
 
 on:
   workflow_dispatch:
+    inputs:
+      branch:
+        description: 'The branch to build night release from'
+        required: false
+        default: 'main'
   schedule:
     - cron: "0 23 * * *"
 permissions:
@@ -37,4 +42,8 @@ jobs:
         gh release delete ${NIGHTLY_VERSION} --cleanup-tag --yes || echo "v${NIGHTLY_VERSION}" does not exist
         gh release delete ${NIGHTLY_VERSION} --cleanup-tag --yes || echo "v${NIGHTLY_VERSION}" does not exist
         git push --delete origin ${NIGHTLY_VERSION} || echo "v${NIGHTLY_VERSION}" does not exist
-        gh release create ${NIGHTLY_VERSION} --generate-notes --prerelease --title "${NIGHTLY_VERSION}"
+        TARGET_BRANCH=${{ github.event.inputs.branch }}
+        if [ -z "$TARGET_BRANCH" ]; then
+          TARGET_BRANCH="main"
+        fi
+        gh release create ${NIGHTLY_VERSION} --generate-notes --prerelease --title "${NIGHTLY_VERSION}" --target "${TARGET_BRANCH}"

.github/workflows/build-packages.yml

@@ -339,7 +339,7 @@ jobs:
         gh release upload $VER *.zip *.sha256sum --clobber
   build_cedarling_python:
     if: github.repository == 'JanssenProject/jans'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
@@ -375,9 +375,9 @@ jobs:
           TAG="0.0.0"
         fi
         cd ${{ github.workspace }}/jans-cedarling/target/wheels
-        sha256sum cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl > cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl.sha256sum
-        sha256sum cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl > cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl.sha256sum
-        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl || echo "Failed to sign"
-        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl || echo "Failed to sign"
+        sha256sum cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl > cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl.sha256sum
+        sha256sum cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl > cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl.sha256sum
+        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl || echo "Failed to sign"
+        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl || echo "Failed to sign"
         echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
         gh release upload "${VERSION}" *.whl *.sha256sum *.asc

README.md

@@ -34,9 +34,10 @@ commercial distribution of Janssen Project Components called
 **Social**: [Linkedin](https://www.linkedin.com/company/janssen-project)
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/janssen-auth-server)](https://artifacthub.io/packages/search?repo=janssen-auth-server)
-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4353/badge)](https://bestpractices.coreinfrastructure.org/projects/4353)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/JanssenProject/jans/badge)](https://scorecard.dev/viewer/?uri=github.com/JanssenProject/jans)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/4353/badge)](https://www.bestpractices.dev/projects/4353)
 [![Hex.pm](https://img.shields.io/hexpm/l/plug)](./LICENSE)
-[![GitHub contributors](https://img.shields.io/github/contributors/janssenproject/jans)](#users-and-community)
+[![GitHub contributors](https://img.shields.io/github/contributors/janssenproject/jans)](#community)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 ----
@@ -45,25 +46,27 @@ commercial distribution of Janssen Project Components called
 
 | Component                                    | Description                                                                                                                                                                                                                                 | Lifecycle Stage                                                  |
 |:---------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------|
-| **[Jans Auth Server](jans-auth-server)**     | A very complete Java OAuth Authorization Server and a [certified](https://openid.net/certification/) OpenID Connect Provider. It's the upstream open-source core of [Gluu Flex](https://gluu.org/flex).                                     | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
+| **[Jans Auth Server](jans-auth-server)**     | A complete OAuth Authorization Server and a [certified](https://openid.net/certification/) OpenID Connect Provider written in Java. It's the upstream open-source core of [Gluu Flex](https://gluu.org/flex).                                     | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
 | **[Agama](agama)**                           | Agama offers an interoperable way to design authentication flows, coded in a DSL purpose-built for writing identity journeys.                                                                                                               | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
 | **[Jans FIDO](jans-fido2)**                  | Enables end-users to enroll and authenticate with passkeys and other FIDO authenticators.                                                                                                                                                   | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
 | **[Jans SCIM](jans-scim)**                   | [SCIM](http://www.simplecloud.info/) JSON/REST [API](https://docs.jans.io/head/admin/reference/openapi/) for user management, including associated FIDO devices.                                                                            | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
-| **[Jans Config API](jans-config-api)**       | RESTful control plane for all Janssen components.                                                                                                                                                                                           | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
-| **[Text UI ("TUI")](jans-cli-tui)**          | Command line and interactive configuration tools to help you correctly call the Config API.                                                                                                                                                 | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
+| **[Jans Config API](jans-config-api)**       | RESTful APIs manage configuration for all Janssen components.                                                                                                                                                                                           | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
+| **[Text UI ("TUI")](jans-cli-tui)**          | User interface accessible from command line. TUI is text-based interactive configuration tool that leverages config-API to configure Janssen Server modules                                                                                                                                                 | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
+| **[Jans CLI](jans-cli-tui)**          | Command line configuration tools to help you correctly call the Config API.                                                                                                                                                 | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
 | **[Jans Casa](jans-casa)**                   | Jans Casa is a self-service web portal for end-users to manage authentication and authorization preferences for their account in the Janssen Server                                                                                         | ![Graduated](https://img.shields.io/badge/Graduated-%2301ba77)   |
 | **[Jans KC](jans-keycloak-integration)**     | provides an array of out of the box IAM services in a single lightweight container image. It's handy for many workforce requirements like SAML. The Janssen authenticator module (SPI) simplifies SSO across Janssen and Keycloak websites. | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
 | **[Jans LDAP Link](jans-link)**              | a group of components that provide synchronization services to update the Janssen User Store from an external authoritative LDAP data sources                                                                                               | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
 | **[Jans Keycloak Link](jans-keycloak-link)** | a group of components that provide synchronization services to update the Janssen User Store from an external authoritative Keycloak data sources                                                                                           | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
-| **[Jans Cedarling](jans-cedaring)**          | Cedarling binding for Python and WASM. In simple terms, the Cedarling returns the answer: should the application allow this action on this resource given these JWT tokens..                                                                | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
+| **[Jans Cedarling](jans-cedarling)**          | Cedarling is an embeddable stateful Policy Decision Point for authorization requests. In simple terms, the Cedarling returns the answer: should the application allow this action on this resource given these JWT tokens. It is written in Rust with bindings to WASM, iOS, Android, and Python.                                                                | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
 | **[Jans Lock](jans-lock)**                   | An enterprise authorization solution featuring the Cedarling, a stateless PDP and the Lock Server which centralizes audit logs and configuration.                                                                                           | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
 | **[Jans Tarp](demos/jans-tarp)**             | An OpenID Connect RP test website that runs as a browser plugin in Chrome or Firefox.                                                                                                                                                       | ![Incubating](https://img.shields.io/badge/Incubating-%23f79307) |
 | **[Jans Chip](demos/jans-chip)**             | Sample iOS and Android mobile applications that implement the full OAuth and FIDO security stack for app integrity, client constrained access tokens, and user presence.                                                                    | ![Demo](https://img.shields.io/badge/Demo-%23368af7)             |
 
 ## Installation
 
 You can install the Janssen federation stack in a Kubernetes cluster or as a 
-single VM. Check out the [Janssen Documentation](https://docs.jans.io/head/admin/install/) 
+single VM. Check out the 
+[Janssen Documentation](https://docs.jans.io/head/janssen-server/install/) 
 for details.
 
 ## Community

charts/janssen-all-in-one/README.md

@@ -134,6 +134,8 @@ Kubernetes: `>=v1.22.0-0`
 | cnConfiguratorCustomSchema | object | `{"secretName":""}` | Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. |
 | cnConfiguratorCustomSchema.secretName | string | `""` | The name of the secrets used for storing custom configuration schema. |
 | cnConfiguratorDumpFile | string | `"/etc/jans/conf/configuration.out.json"` | Path to dumped configuration schema file |
+| cnConfiguratorKey | string | `""` | Key to encrypt/decrypt configuration schema file using AES-256 CBC mode. Set the value to empty string to disable encryption/decryption, or 32 alphanumeric characters to enable it. |
+| cnConfiguratorKeyFile | string | `"/etc/jans/conf/configuration.key"` | Path to file contains key to encrypt/decrypt configuration schema file. |
 | cnDocumentStoreType | string | `"DB"` | Document store type to use for shibboleth files DB. |
 | cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. |
 | cnPersistenceType | string | `"sql"` | Persistence backend to run Janssen with hybrid|sql. |

charts/janssen-all-in-one/templates/_helpers.tpl

@@ -73,10 +73,10 @@ Create optional scopes list
 {{- define "janssen-all-in-one.optionalScopes"}}
 {{ $newList := list }}
 {{- if eq .Values.configmap.cnCacheType "REDIS" }}
-{{ $newList = append $newList ("redis" | quote )  }}
+{{ $newList = append $newList "redis" }}
 {{- end}}
 {{ if eq .Values.cnPersistenceType "sql" }}
-{{ $newList = append $newList ("sql" | quote) }}
+{{ $newList = append $newList "sql" }}
 {{- end }}
 {{ toJson $newList }}
 {{- end }}
@@ -178,12 +178,78 @@ Create configuration schema-related objects.
 {{- define "janssen-all-in-one.config.schema" -}}
 {{- $commonName := (printf "%s-configuration-file" .Release.Name) -}}
 {{- $secretName := .Values.cnConfiguratorCustomSchema.secretName | default $commonName -}}
+{{- $keyName := (printf "%s-configuration-key-file" .Release.Name) -}}
 volumes:
   - name: {{ $commonName }}
     secret:
       secretName: {{ $secretName }}
+{{- if .Values.cnConfiguratorKey }}
+  - name: {{ $keyName }}
+    secret:
+      secretName: {{ $keyName }}
+{{- end }}
 volumeMounts:
   - name: {{ $commonName }}
     mountPath: {{ .Values.cnConfiguratorConfigurationFile }}
     subPath: {{ .Values.cnConfiguratorConfigurationFile | base }}
-{{- end -}}
+{{- if .Values.cnConfiguratorKey }}
+  - name: {{ $keyName }}
+    mountPath: {{ .Values.cnConfiguratorKeyFile }}
+    subPath: {{ .Values.cnConfiguratorKeyFile | base }}
+{{- end }}
+{{- end }}
+
+{{/*
+Obfuscate configuration schema (only if configuration key is available)
+*/}}
+{{- define "janssen-all-in-one.config.prepareSchema" }}
+
+{{- $configmapSchema := dict }}
+{{- $_ := set $configmapSchema "hostname" .Values.fqdn }}
+{{- $_ := set $configmapSchema "country_code" .Values.countryCode }}
+{{- $_ := set $configmapSchema "state" .Values.state }}
+{{- $_ := set $configmapSchema "city" .Values.city }}
+{{- $_ := set $configmapSchema "admin_email" .Values.email }}
+{{- $_ := set $configmapSchema "orgName" .Values.orgName }}
+{{- $_ := set $configmapSchema "auth_sig_keys" (index .Values "auth-server" "authSigKeys") }}
+{{- $_ := set $configmapSchema "auth_enc_keys" (index .Values "auth-server" "authEncKeys") }}
+{{- $_ := set $configmapSchema "optional_scopes" (include "janssen-all-in-one.optionalScopes" . | trim) }}
+{{- if .Values.saml.enabled }}
+{{- $_ := set $configmapSchema "kc_admin_username" .Values.configmap.kcAdminUsername }}
+{{- end }}
+{{- $_ := set $configmapSchema "init_keys_exp" (index .Values "auth-server-key-rotation" "initKeysLife") }}
+
+{{- $secretSchema := dict }}
+{{- $_ := set $secretSchema "admin_password" .Values.adminPassword }}
+{{- $_ := set $secretSchema "redis_password" .Values.redisPassword }}
+{{- if or ( eq .Values.cnPersistenceType "sql" ) ( eq .Values.cnPersistenceType "hybrid" ) }}
+{{- $_ := set $secretSchema "sql_password" .Values.configmap.cnSqldbUserPassword }}
+{{- end }}
+{{- if eq .Values.configSecretAdapter "vault" }}
+{{- $_ := set $secretSchema "vault_role_id" .Values.configmap.cnVaultRoleId }}
+{{- $_ := set $secretSchema "vault_secret_id" .Values.configmap.cnVaultSecretId }}
+{{- end }}
+{{- if or (eq .Values.configSecretAdapter "google") (eq .Values.configAdapterName "google") }}
+{{- $_ := set $secretSchema "google_credentials" .Values.configmap.cnGoogleSecretManagerServiceAccount }}
+{{- end }}
+{{- if or (eq .Values.configAdapterName "aws") (eq .Values.configSecretAdapter "aws") }}
+{{- $_ := set $secretSchema "aws_credentials" (include "config.aws-shared-credentials" . | b64enc) }}
+{{- $_ := set $secretSchema "aws_config" (include "config.aws-config" . | b64enc) }}
+{{- $_ := set $secretSchema "aws_replica_regions" (toJson .Values.configmap.cnAwsSecretsReplicaRegions | b64enc) }}
+{{- end }}
+{{- if .Values.saml.enabled }}
+{{- $_ := set $secretSchema "kc_db_password" .Values.configmap.kcDbPassword }}
+{{- $_ := set $secretSchema "kc_admin_password" .Values.configmap.kcAdminPassword }}
+{{- end }}
+{{- $_ := set $secretSchema "encoded_salt" .Values.salt }}
+
+{{- $schema := dict "_configmap" $configmapSchema "_secret" $secretSchema }}
+
+{{- if .Values.cnConfiguratorKey }}
+{{- printf "%s" (encryptAES .Values.cnConfiguratorKey (toPrettyJson $schema)) }}
+{{- else -}}
+{{- toPrettyJson $schema }}
+{{- end }}
+
+{{/* end of helpers */}}
+{{- end }}