feat(jans-lock): lock should collect MAU and MAC based on log entries… (

#10328) * feat(jans-lock): lock should collect MAU and MAC based on log entries requests Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): add sse/config endpoints protection Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): add configurable error response types support Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): add table for lock stat entries Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): increase clnData size Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): fix errorResponseFactory dependecy Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): enable stats by default Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): update protection api to allow use annotations defined in interfaces Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): define lock SSE scope in installer to pre-create it Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-linux-setup): create jans-lock scopes Signed-off-by: Mustafa Baser <[email protected]> * feat(jans-lock): add lock scopes Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-lock): use same scopes namespace Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-bom): remove artifact duplicates Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]> Signed-off-by: Mustafa Baser <[email protected]> Co-authored-by: Mustafa Baser <[email protected]> Co-authored-by: Yuriy M. <[email protected]>
JanssenProject · Jan 6, 2025 · b8a7e1a · b8a7e1a
1 parent 58fd359
commit b8a7e1a
Show file tree

Hide file tree

Showing 43 changed files with 1,910 additions and 112 deletions.
diff --git a/jans-auth-server/pom.xml b/jans-auth-server/pom.xml
@@ -134,6 +134,7 @@
                 <version>1.6.0</version>
             </dependency>
 
+
 			<!-- Weld -->
 			<dependency>
 				<groupId>org.jboss.weld</groupId>

diff --git a/jans-auth-server/server/pom.xml b/jans-auth-server/server/pom.xml
@@ -273,7 +273,6 @@
         <dependency>
             <groupId>io.prometheus</groupId>
             <artifactId>simpleclient_common</artifactId>
-            <version>0.9.0</version>
         </dependency>
         <dependency>
             <groupId>net.agkn</groupId>

diff --git a/jans-bom/pom.xml b/jans-bom/pom.xml
@@ -499,16 +499,21 @@
 				<artifactId>commons-text</artifactId>
 				<version>1.12.0</version>
 			</dependency>
-			<dependency>
-				<groupId>commons-beanutils</groupId>
-				<artifactId>commons-beanutils</artifactId>
-				<version>1.9.4</version>
-			</dependency>
 			<dependency>
 				<groupId>commons-collections</groupId>
 				<artifactId>commons-collections</artifactId>
 				<version>3.2.2</version>
 			</dependency>
+			<dependency>
+				<groupId>io.prometheus</groupId>
+				<artifactId>simpleclient_common</artifactId>
+				<version>0.9.0</version>
+			</dependency>
+            <dependency>
+                <groupId>net.agkn</groupId>
+                <artifactId>hll</artifactId>
+                <version>1.6.0</version>
+            </dependency>
 
 			<!-- Logging -->
 			<dependency>
@@ -605,7 +610,7 @@
 				<artifactId>jackson-dataformat-cbor</artifactId>
 				<version>${jackson.version}</version>
 			</dependency>
-		<!-- 	<dependency>
+			<!-- 	<dependency>
 				<groupId>jakarta.xml.bind</groupId>
 				<artifactId>jakarta.xml.bind-api</artifactId>
 				<version>2.3.3</version>
@@ -788,7 +793,7 @@
 				<artifactId>metrics-core</artifactId>
 				<version>4.2.12</version>
 			</dependency>
-			
+
 			<!-- Timer -->
 			<dependency>
 				<groupId>org.quartz-scheduler</groupId>
@@ -832,7 +837,7 @@
 				<artifactId>velocity-engine-core</artifactId>
 				<version>2.3</version>
 			</dependency>
-			
+
 			<!-- Date/time utils -->
 			<dependency>
 				<groupId>joda-time</groupId>
@@ -897,8 +902,8 @@
 				<version>${mockito.version}</version>
 				<scope>test</scope>
 			</dependency>
-				
-            <!-- java compiler lib -->
+
+			<!-- java compiler lib -->
             <dependency>
                 <groupId>net.openhft</groupId>
                 <artifactId>compiler</artifactId>

diff --git a/jans-linux-setup/jans_setup/schema/jans_schema.json b/jans-linux-setup/jans_setup/schema/jans_schema.json
@@ -2454,6 +2454,17 @@
       "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
       "x_origin": "Jans created attribute"
     },
+    {
+      "desc": "Jans client data",
+      "equality": "caseIgnoreMatch",
+      "names": [
+        "clntDat"
+      ],
+      "oid": "jansAttr",
+      "substr": "caseIgnoreSubstringsMatch",
+      "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+      "x_origin": "Jans created attribute"
+    },
     {
       "desc": "OX PKCE code challenge",
       "equality": "caseIgnoreMatch",
@@ -4083,6 +4094,7 @@
         "requestedResource"
       ],
       "oid": "jansAttr",
+      "rdbm_json_column": true,
       "substr": "caseIgnoreSubstringsMatch",
       "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
       "x_origin": "Jans created attribute"
@@ -5209,6 +5221,27 @@
       ],
       "x_origin": "Jans created objectclass"
     },
+    {
+      "kind": "STRUCTURAL",
+      "may": [
+        "jansId",
+        "dat",
+        "clntDat",
+        "jansData",
+        "attr"
+      ],
+      "must": [
+        "objectclass"
+      ],
+      "names": [
+        "jansLockStatEntry"
+      ],
+      "oid": "jansObjClass",
+      "sup": [
+        "top"
+      ],
+      "x_origin": "Jans Lock created objectclass"
+    },
     {
       "kind": "STRUCTURAL",
       "may": [

diff --git a/jans-linux-setup/jans_setup/setup_app/installers/base.py b/jans-linux-setup/jans_setup/setup_app/installers/base.py
@@ -1,22 +1,33 @@
 import os
 import uuid
 import inspect
+import json
 
 from setup_app import paths
 from setup_app.utils import base
 from setup_app.config import Config
+from setup_app.pylib.ldif4.ldif import LDIFWriter
+
 from setup_app.utils.db_utils import dbUtils
 from setup_app.utils.progress import jansProgress
 from setup_app.utils.printVersion import get_war_info
 
 class BaseInstaller:
     needdb = True
     dbUtils = dbUtils
+    service_scopes_created = False
 
     def register_progess(self):
+        if not hasattr(self, 'output_folder'):
+            self.output_folder = os.path.join(Config.output_dir, self.service_name)
+
+        if not hasattr(self, 'templates_dir'):
+            self.templates_dir = os.path.join(Config.templateFolder, self.service_name)
+
         jansProgress.register(self)
 
     def start_installation(self):
+
         if not hasattr(self, 'pbar_text'):
             pbar_text = "Installing " + self.service_name.title()
         else:
@@ -44,6 +55,9 @@ def start_installation(self):
         self.render_unit_file()
 
         self.render_import_templates()
+        if not self.service_scopes_created:
+            self.create_scopes()
+
         self.update_backend()
         self.service_post_setup()
 
@@ -244,3 +258,41 @@ def service_post_setup(self):
 
     def service_post_install_tasks(self):
         pass
+
+    def create_scopes(self):
+        scopes_json_fn = os.path.join(self.templates_dir, 'scopes.json')
+
+        if not os.path.exists(scopes_json_fn):
+            return
+
+        self.logIt(f"Creating {self.service_name} scopes from {scopes_json_fn}")
+        scopes = base.readJsonFile(scopes_json_fn)
+        scopes_ldif_fn = os.path.join(self.output_folder, 'scopes.ldif')
+        self.createDirs(self.output_folder)
+
+        scopes_list = []
+
+        with open(scopes_ldif_fn, 'wb') as scope_ldif_fd:
+            ldif_scopes_writer = LDIFWriter(scope_ldif_fd, cols=1000)
+            for scope in scopes:
+                scope_dn = 'inum={},ou=scopes,o=jans'.format(scope['inum'])
+                scopes_list.append(scope_dn)
+                ldif_dict = {
+                            'objectClass': ['top', 'jansScope'],
+                            'description': [scope['description']],
+                            'displayName': [scope['displayName']],
+                            'inum': [scope['inum']],
+                            'jansDefScope': [str(scope['jansDefScope'])],
+                            'jansId': [scope['jansId']],
+                            'jansScopeTyp': [scope['jansScopeTyp']],
+                            'jansAttrs': [json.dumps({
+                                            "spontaneousClientId":None,
+                                            "spontaneousClientScopes":[],
+                                            "showInConfigurationEndpoint": False
+                                        })],
+                        }
+                ldif_scopes_writer.unparse(scope_dn, ldif_dict)
+
+        self.dbUtils.import_ldif([scopes_ldif_fn])
+        self.service_scopes_created = True
+        return scopes_list
diff --git a/jans-linux-setup/jans_setup/setup_app/installers/jans_casa.py b/jans-linux-setup/jans_setup/setup_app/installers/jans_casa.py
@@ -78,7 +78,8 @@ def add_plugins(self):
 
 
     def generate_configuration(self):
-        self.casa_scopes = self.create_scopes()
+        if not hasattr(self, 'casa_scopes'):
+            self.casa_scopes = self.create_scopes()
 
         self.check_clients([('casa_client_id', self.client_id_prefix)])
 
@@ -117,38 +118,6 @@ def create_folders(self):
             self.createDirs(os.path.join(self.jetty_service_dir, cdir))
 
 
-    def create_scopes(self):
-        self.logIt("Creating Casa client scopes")
-        scopes = base.readJsonFile(self.scopes_fn)
-        casa_scopes_ldif_fn = os.path.join(self.output_folder, 'scopes.ldif')
-        self.createDirs(self.output_folder)
-        scope_ldif_fd = open(casa_scopes_ldif_fn, 'wb')
-        scopes_list = []
-
-        ldif_scopes_writer = LDIFWriter(scope_ldif_fd, cols=1000)
-
-        for scope in scopes:
-            scope_dn = 'inum={},ou=scopes,o=jans'.format(scope['inum'])
-            scopes_list.append(scope_dn)
-            ldif_dict = {
-                        'objectClass': ['top', 'jansScope'],
-                        'description': [scope['description']],
-                        'displayName': [scope['displayName']],
-                        'inum': [scope['inum']],
-                        'jansDefScope': [str(scope['jansDefScope'])],
-                        'jansId': [scope['jansId']],
-                        'jansScopeTyp': [scope['jansScopeTyp']],
-                        'jansAttrs': [json.dumps({"spontaneousClientId":None, "spontaneousClientScopes":[], "showInConfigurationEndpoint": False})],
-                    }
-            ldif_scopes_writer.unparse(scope_dn, ldif_dict)
-
-        scope_ldif_fd.close()
-
-        self.dbUtils.import_ldif([casa_scopes_ldif_fn])
-
-        return scopes_list
-
-
     def service_post_setup(self):
         self.writeFile(os.path.join(self.jetty_service_dir, '.administrable'), '', backup=False)
         self.chown(self.jetty_service_dir, Config.jetty_user, Config.jetty_group, recursive=True)
diff --git a/jans-linux-setup/jans_setup/static/rdbm/sql_data_types.json b/jans-linux-setup/jans_setup/static/rdbm/sql_data_types.json
@@ -4,6 +4,11 @@
       "type": "TEXT"
     }
   },
+  "clntDat": {
+    "mysql": {
+      "type": "TEXT"
+    }
+  },
   "description": {
     "mysql": {
       "size": 768,

diff --git a/jans-linux-setup/jans_setup/templates/jans-lock/dynamic-conf.json b/jans-linux-setup/jans_setup/templates/jans-lock/dynamic-conf.json
@@ -51,6 +51,7 @@
   "metricReporterInterval": 300,
   "metricReporterKeepDataDays": 15,
   "metricReporterEnabled": true,
+  "statEnabled": true,
   "errorReasonEnabled": false,
   "opaConfiguration": {
     "baseUrl": "http://%(jans_opa_host)s:%(jans_opa_port)s/v1/",

diff --git a/jans-linux-setup/jans_setup/templates/jans-lock/errors.json b/jans-linux-setup/jans_setup/templates/jans-lock/errors.json
@@ -1,9 +1,26 @@
 {
-  "common": [
-    {
-      "id": "unknown_error",
-      "description": "Unknown or not found error",
-      "uri": null
-    }
-  ]
-}
+    "common": [
+        {
+             "id": "invalid_request",
+             "description": "The request is missing a required parameter, includes an unsupported parameter or parameter value, or is otherwise malformed",
+             "uri": null
+        },
+        {
+             "id": "unknown_error",
+             "description": "Unknown or not found error",
+             "uri": null
+        }
+    ],
+    "stat":[
+        {
+            "id":"invalid_request",
+            "description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.",
+            "uri":null
+        },
+        {
+            "id":"access_denied",
+            "description":"The resource owner or authorization server denied the request.",
+            "uri":null
+        }
+    ]
+  }
diff --git a/jans-linux-setup/jans_setup/templates/jans-lock/scopes.json b/jans-linux-setup/jans_setup/templates/jans-lock/scopes.json
@@ -0,0 +1,10 @@
+[
+  {
+    "inum": "4000.01.1",
+    "jansId": "https://jans.io/oauth/lock/sse.read",
+    "displayName": "Lock API scope",
+    "description": "Permission to access SSE endpoint",
+    "jansDefScope": false,
+    "jansScopeTyp": "oauth"
+  }
+]
diff --git a/jans-linux-setup/jans_setup/templates/jans-lock/static-conf.json b/jans-linux-setup/jans_setup/templates/jans-lock/static-conf.json
@@ -6,6 +6,7 @@
         "attributes":"ou=attributes,o=jans",
         "tokens":"ou=tokens,o=jans",
         "sessions":"ou=sessions,o=jans",
-        "metric":"ou=statistic,o=metric"
+        "metric":"ou=statistic,o=metric",
+        "stat": "ou=lock,ou=stat,o=jans"
     }
 }