feat(jans-auth-server): OpenID AuthZEN implementation #9596
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* docs: update developer guide #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: disable super gluu extension #8852 Signed-off-by: jgomer2001 <[email protected]> * chore: avoid image duplication #8847 Signed-off-by: jgomer2001 <[email protected]> * chore: revert changes in login form #8852 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
* chore: update casa gitignore #8846 Signed-off-by: jgomer2001 <[email protected]> * chore: remove unused files #9327 Signed-off-by: jgomer2001 <[email protected]> * docs: re-arrange list of plugins #8852 Signed-off-by: jgomer2001 <[email protected]> --------- Signed-off-by: jgomer2001 <[email protected]>
…records (#9334) * feat(jans-config-api): update log/telemetry/health entries Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-config-api): update log/telemetry/health entries Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]>
* feat: remove mounted files for sql persistence Signed-off-by: iromli <[email protected]> * feat: remove mounted files for couchbase persistence Signed-off-by: iromli <[email protected]> * feat: remove mounted files for ldap persistence Signed-off-by: iromli <[email protected]> * fix: handle hybrid persistence Signed-off-by: iromli <[email protected]> * feat: remove unused ldap-cron-pass secret Signed-off-by: iromli <[email protected]> Merging but its missing docs. Auto doc generator will take care of it. --------- Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
Signed-off-by: Mustafa Baser <[email protected]>
#9343) feat(jans-config-api): add endpoint to load log/telemetery/health data for specific period Signed-off-by: Yuriy Movchan <[email protected]>
* feat(jans-auth-server): AS supports acr aliasing but it's not published on discovery. It should be added to discovery. #9166 Signed-off-by: YuriyZ <[email protected]> * feat(jans-auth-server): added acr_mappings to doc sample #9166 Signed-off-by: YuriyZ <[email protected]> --------- Signed-off-by: YuriyZ <[email protected]>
Signed-off-by: Yuriy Movchan <[email protected]>
Signed-off-by: Yuriy Movchan <[email protected]>
Signed-off-by: Yuriy Movchan <[email protected]>
Signed-off-by: moabu <[email protected]>
…in id_token (#9358) Signed-off-by: Arnab Dutta <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
* ci: forces download each time on packaging Signed-off-by: moabu <[email protected]> * ci: forces download each time on packaging Signed-off-by: moabu <[email protected]> --------- Signed-off-by: moabu <[email protected]> Signed-off-by: Mohammad Abudayyeh <[email protected]>
…ly if using ldap persistence (#9323) Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
…iat #9320 (#9375) Signed-off-by: YuriyZ <[email protected]>
… /jans-bom (#9308) chore(deps): bump com.mysql:mysql-connector-j in /jans-bom Bumps [com.mysql:mysql-connector-j](https://github.com/mysql/mysql-connector-j) from 8.0.32 to 8.2.0. - [Changelog](https://github.com/mysql/mysql-connector-j/blob/release/9.x/CHANGES) - [Commits](mysql/mysql-connector-j@8.0.32...8.2.0) --- updated-dependencies: - dependency-name: com.mysql:mysql-connector-j dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… /jans-casa/app-fips (#8514) chore(deps): bump org.bouncycastle:bc-fips in /jans-casa/app-fips Bumps org.bouncycastle:bc-fips from 1.0.2.4 to 1.0.2.5. --- updated-dependencies: - dependency-name: org.bouncycastle:bc-fips dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…/jans-bom (#6357) chore(deps): bump org.apache.santuario:xmlsec in /jans-bom Bumps org.apache.santuario:xmlsec from 2.2.4 to 2.2.6. --- updated-dependencies: - dependency-name: org.apache.santuario:xmlsec dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Yuriy Movchan <[email protected]>
… /jans-config-api (#7911) chore(deps-dev): bump org.bitbucket.b_c:jose4j in /jans-config-api Bumps [org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j) from 0.9.3 to 0.9.4. - [Commits](https://bitbucket.org/b_c/jose4j/branches/compare/jose4j-0.9.4..jose4j-0.9.3) --- updated-dependencies: - dependency-name: org.bitbucket.b_c:jose4j dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore: use pythonic style #9181 Signed-off-by: jgomer2001 <[email protected]>
* feat(jans-core): update OpeDJ version Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-auth): set auth_user session attribute from authenticateByUserInum method Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]>
* fix(config-api): asset mgt endpoint fixes Signed-off-by: pujavs <[email protected]> * feat(config-api): asset upload mgt ehancement and fido Signed-off-by: pujavs <[email protected]> * feat(config-api): asset upload mgt ehancement and fido Signed-off-by: pujavs <[email protected]> * feat(config-api): asset upload mgt ehancement and fido Signed-off-by: pujavs <[email protected]> * fix(config-api): asset upload Signed-off-by: pujavs <[email protected]> * fix(config-api): lock review comments Signed-off-by: pujavs <[email protected]> * feat(config-api): lock code review comments Signed-off-by: pujavs <[email protected]> * feat(config-api): lock master renamed to lock server Signed-off-by: pujavs <[email protected]> * feat(config-api): lock master renamed to lock server Signed-off-by: pujavs <[email protected]> * feat(config-api): lock master renamed to lock server Signed-off-by: pujavs <[email protected]> * feat(config-api): lock master renamed to lock server Signed-off-by: pujavs <[email protected]> * feat(config-api): fido2 delete functionality Signed-off-by: pujavs <[email protected]> * fix(config-api): acr validation Signed-off-by: pujavs <[email protected]> * feat(config-api): doc(config-api): IDP schema attribute descriptions #9187 Signed-off-by: pujavs <[email protected]> * feat(config-api): sync with main Signed-off-by: pujavs <[email protected]> * feat(config-api): uploading assets via API generates 2 entries #9178 Signed-off-by: pujavs <[email protected]> * feat(config-api): asset mgt, fido and IDP changes Signed-off-by: pujavs <[email protected]> * feat(config-api): fido2 device endpoint Signed-off-by: pujavs <[email protected]> * feat(config-api): fido2 endpoint Signed-off-by: pujavs <[email protected]> * feat(config-api): fido2 endpoint Signed-off-by: pujavs <[email protected]> * feat(config-api): sync with main Signed-off-by: pujavs <[email protected]> * feat(config-api): sync with main Signed-off-by: pujavs <[email protected]> * feat(config-api): sync with main Signed-off-by: pujavs <[email protected]> * feat(config-api): resolved sonar review issues Signed-off-by: pujavs <[email protected]> * feat(config-api): sonar review comment fix Signed-off-by: pujavs <[email protected]> * feat(config-api): swagger spec Signed-off-by: pujavs <[email protected]> * feat(config-api): saml config attribute description Signed-off-by: pujavs <[email protected]> * doc(config-api): added SAML attribute description Signed-off-by: pujavs <[email protected]> * doc(config-api): added SAML attribute description Signed-off-by: pujavs <[email protected]> * feat(config-api): sync with main Signed-off-by: pujavs <[email protected]> * fix(jans-lock): code review comment fix isssue#9305 Signed-off-by: pujavs <[email protected]> * fix(jans-lock): code review comment fix isssue#9305 Signed-off-by: pujavs <[email protected]> * feat(config-api): lock review point Signed-off-by: pujavs <[email protected]> * fix(lock): code review comment Signed-off-by: pujavs <[email protected]> * fix(lock): code review comment Signed-off-by: pujavs <[email protected]> * fix(config-api): sync with main Signed-off-by: pujavs <[email protected]> * feat(config-api): lock endpoint fixes and SAML IDP NPE Signed-off-by: pujavs <[email protected]> --------- Signed-off-by: pujavs <[email protected]> Co-authored-by: YuriyZ <[email protected]>
* Initializing branch for Cedarling MVP Signed-off-by: Arnab Dutta <[email protected]> * rust demo code without connect to python * cargo improvements * fix format rule * add to gitignore files that is used in debug process * add parsing roles from token and it mapping * remove unused text in readme * added guide how to build * add python binding * python example hotfix * make Id in python example more illustrative * update to make tokens field jti optional * fix readme file * feat: store the sample policy stores in demo folder #9373 Signed-off-by: Arnab Dutta <[email protected]> * rename role mapper to token mapper * add loading policy store from file or json * show in example that we can use setter * use single quote for action in python example * update python bindings to use object Request * add readme to demo data folder * updated README.md * update cedarling_python/README.md --------- Signed-off-by: Arnab Dutta <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
…on backends (#9389) * feat(jans-pycloudlib): handle required files for external configuration backends Signed-off-by: iromli <[email protected]> * feat(jans-pycloudlib): populate google credentials if using spanner persistence Signed-off-by: iromli <[email protected]> * fix(jans-pycloudlib): resolve broken dependency for google-cloud-secret-manager lib Signed-off-by: iromli <[email protected]> --------- Signed-off-by: iromli <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
…9395) user in session Signed-off-by: Yuriy Movchan <[email protected]>
Signed-off-by: Mustafa Baser <[email protected]>
…9398) * feat(jans-core): add jansFilePath to document store Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-core): set filePath and fileName from imput path * feat(config-api): asset mgt changes to store filePath in separate field Signed-off-by: pujavs <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]> Signed-off-by: pujavs <[email protected]> Co-authored-by: pujavs <[email protected]>
* fix: high CPU usage on opening tarp #9390 Signed-off-by: Arnab Dutta <[email protected]> * feat: resolving review comments Signed-off-by: Arnab Dutta <[email protected]> * feat: correct comments Signed-off-by: Arnab Dutta <[email protected]> --------- Signed-off-by: Arnab Dutta <[email protected]>
) * feat(jans-cedarling): implement KeyService for JwtService - implemented a `KeyService` for `JwtService` that manages decoding keys which are used to validate Json Web Tokens (JWTs). Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement GetKey for KeyService Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): integrate jwt::KeyService with jwt::DecodingStrategy Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): replace custom mockhttp with mockito and refactor services - Replaced custom `mockhttp` with `mockito` for simulating HTTP requests in tests. - Refactored `JwtService` and `KeyService` to remove the need for the `GetKey` trait. `KeyService` can now be initialized directly, simplifying the code and improving clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): restructure folder layout, improve documentation, and simplify services - restructured the folder structure in the /jwt module for better organization. - added comprehensive docstrings to enhance code readability and maintainability. - simplified KeyService and DecodingStrategy by removing unnecessary traits for their communication. Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): move mockito from dependencies to dev-dependencies for cleaner build Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): add trusted_issuers field to the PolicyStore Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): reuse HTTP client and switch to eprintln for error logging - reuse a HTTP client initialized on init for `KeyService` when making requests to improve efficiency - replaced `println!` with `eprintln!` for better error logging Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement custom error handling for lock acquisition failure - added error handling for cases where acquiring a lock on decoding keys fails - replaced `unwrap()` with a custom error to handle poisoned locks gracefully Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement validation for `userinfo_token` - validate the `userinfo_token` to ensure its integrity and correctness - verify that the `client_id` of the `userinfo_token` matches the `aud` of the corresponding `access_token` - verify that the `sub` of the `userinfo_token` matches the `sub` of the corresponding `id_token` Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): update token examples in `/examples` directory - revise example tokens to reflect current requirements Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused fields from tokens in `jwt::token` - clean up the `jwt::token` module by removing fields that are unused. Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement specific error messages for invalid token types - introduced `InvalidAccessToken` error for invalid access tokens - introduced `InvalidIdToken` error for invalid ID tokens - introduced `InvalidUserinfoToken` error for invalid userinfo tokens - this change provides clearer feedback based on the type of invalid token encountered Signed-off-by: rmarinn <[email protected]> * docs: changes in policy store docs Signed-off-by: Arnab Dutta <[email protected]> * feat(jans-cedarling): implement Deserialize for TokenKind - implement Deserialize for TokenKind instead of using the derialize_with macro Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move test mod from init/test.rs into init/policy_store.rs Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): remove redundant assert in errors_on_multiple_mappings Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement Copy trait for TokenKind enum - added the Copy trait implementation to TokenKind for more efficient value handling Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): remove unnecessary .clone() calls on TokenKind Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): change MultipleRoleMappings error to use Vec<String> - updated the MultipleRoleMappings error variant to store a Vec<String> instead of a single String, allowing it to capture multiple tokens with role mappings. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename fields in PolicyStore to be more descriptive - rename `schema` field in `PolicyStore` to `cedar_schema` - rename `policies` field in `PolicyStore` to `cedar_policies` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): improve naming and deserialization for PolicyStore - policy_store_id is now only required when loading from Lock Master, simplifying the structure of policy_store.json - renamed and simplified field and function names for better clarity in policy deserialization - updated docstrings to enhance understanding of PolicyStore fields and deserialization process - updated test cases to reflect new naming conventions and improve error handling Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): introduce cedar_version field in policy_store.json - added support for the cedar_version field to specify the version of Cedar being used. - this enhancement allows for version-specific parsing of schemas and policies during deserialization. - updated relevant structures and deserialization logic to validate the cedar_version format. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): move deserialization logic for multiple roles to PolicyStore - checking for multiple roles now occurs during the deserialization of PolicyStore - the corresponding test has been relocated from `init/policy_store.rs` to `common/policy_store.rs` for better organization and clarity. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): rename parse_policy to parse_single_policy - rename `parse_policy` to `parse_single_policy` to make the intent of calling the function clearer Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * docs(jans-cedarling): add missing docstrings in common/policy_store.rs Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/cedarling/cedarling-policy-store.md Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update docs/dedarling/cedarling-jwt.md Signed-off-by: rmarinn <[email protected]> * docs: fixing review comments Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): uncomment previously commented functions Signed-off-by: rmarinn <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * docs: correct policy store format Signed-off-by: Arnab Dutta <[email protected]> * fix(jans-cedarling): remove unused commented code Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix docstrings in PolicyStore Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): renamed `check_token_metadata` to `parse_and_check_token_metadata` Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): replace custom version parsing with the semver crate Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): simplify TokenKind parsing - removed the need for a Visitor in parsing logic - users now pass `access_token`, `id_token`, `userinfo_token`, or `transaction_token` (case-insensitive) as the token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): simplify policy parsing by removing unnecessary Ok wrapper Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add unit test for handling invalid token type Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace string with JSON macro for invalid token metadata test Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): enhance policy deserialization error handling - updated the deserialization logic to collect and report multiple errors encountered during policy parsing Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): move tests to a separate file and enhance input clarity - reorganized tests into a dedicated file for better structure - improved readability of policy and schema inputs in the tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve Clippy warnings - fixed needless borrows to improve code efficiency Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): add specific error assertion in unit tests Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add comments to the tokens in the examples - added comments so it's obvious what's in the claims in the tokens string in the examples directory Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): fix broken example with jwt validation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): update incorrect docstrings Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): resolve clippy warnings Signed-off-by: rmarinn <[email protected]> * refactor(jwt): convert extract_claims to an associated function - moved the `extract_claims` function out of the method that uses `self`, making it an associated function to avoid unnecessary usage of `self` while preserving organization within the impl block. Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): revert to custom Error for unsupported algorithm parsing - manually reverted to returning a custom Error when parsing an unsupported algorithm, preserving previous error reporting behavior Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): fix clippy warnings Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): fix wrong example in the docs - renamed `person_id` to `user_id` in the example Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): replace `person_id` with `user_id` Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused traits file Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): update examples to align with schema changes Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): update README.md - update README to show how to run the new tests Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): improve error handling Signed-off-by: rmarinn <[email protected]> * fix(jans-cedarling): revert unintended change to the docs by a merge Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): fix python unit tests Signed-off-by: Oleh Bohzok <[email protected]> * chore(jans-cedarling): fix misspelled test function name Signed-off-by: rmarinn <[email protected]> * test(jans-cedarling): improve test assertion and specificity Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]> Signed-off-by: Arnab Dutta <[email protected]> Signed-off-by: Oleh Bohzok <[email protected]> Co-authored-by: Arnab Dutta <[email protected]> Co-authored-by: Oleh Bohzok <[email protected]>
Signed-off-by: Yuriy Movchan <[email protected]>
…ure flag Signed-off-by: YuriyZ <[email protected]>
…/benchmarking/docker-jans-loadtesting-jmeter (#9988) chore(deps): bump blazemeter/taurus Bumps blazemeter/taurus from 1.16.33 to 1.16.35. --- updated-dependencies: - dependency-name: blazemeter/taurus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mohammad Abudayyeh <[email protected]>
…9701) * feat(jans-core): integrate document store manager into applications Signed-off-by: Yuriy Movchan <[email protected]> * feat(jans-core): integrate document store manager into applications Signed-off-by: Yuriy Movchan <[email protected]> --------- Signed-off-by: Yuriy Movchan <[email protected]> Co-authored-by: YuriyZ <[email protected]>
…ervice Signed-off-by: YuriyZ <[email protected]>
Signed-off-by: Mustafa Baser <[email protected]>
|
|
|
… service Signed-off-by: YuriyZ <[email protected]>
Signed-off-by: YuriyZ <[email protected]>
…ion endpoint class methods Signed-off-by: YuriyZ <[email protected]>
Signed-off-by: YuriyZ <[email protected]>
… discovery Signed-off-by: YuriyZ <[email protected]>
Signed-off-by: YuriyZ <[email protected]>
… discovery client Signed-off-by: YuriyZ <[email protected]>
|
|
|
Signed-off-by: YuriyZ <[email protected]>
|
Signed-off-by: YuriyZ <[email protected]>
|
|
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
feat(jans-auth-server): OpenID AuthZEN implementation
Target issue
closes #9557
Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.