feat(config-api): new endpoint for jans service status and file type script enhancement

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

1. Issue#9979: fix(jans-tui): Saving a script as a file is not working
2. Issue#9884: feat(jans-config-api): need health APIs for FIDO, KC, SCIM, CASA

Target issue

closes #9884 #9979

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request covers various updates and improvements to the Jans Config API application, with a focus on the health monitoring and service status reporting functionality, and while the changes do not appear to introduce immediate security vulnerabilities, there are a few areas that should be carefully reviewed and addressed to maintain the overall security of the application.

Expand for full summary

Summary:

The code changes in this pull request cover various updates and improvements to the Jans Config API application, with a focus on the health monitoring and service status reporting functionality. The changes include the addition of new API endpoints, improvements to date and integer data handling, and the introduction of example responses for certain endpoints.

From an application security perspective, the changes do not appear to introduce any immediate security vulnerabilities. However, there are a few areas that should be carefully reviewed and addressed to maintain the overall security of the application:

1. Sensitive Information Exposure: The new /health/service-status endpoint and the example server-stat.json file could potentially expose sensitive information about the server's infrastructure, such as hostname, IP address, and system metrics. Ensure that access to this information is properly restricted and that no sensitive data is inadvertently included.

2. Input Validation and Sanitization: While the changes include some improvements to input handling, such as the null check for assertionValue and the use of the escapeLog() method, it's important to thoroughly review all user input validation and sanitization across the application to prevent common web application vulnerabilities like SQL injection, command injection, and cross-site scripting (XSS).

3. Authorization and Access Control: Ensure that the new health monitoring and service status endpoints are properly protected and accessible only to authorized users or roles. Regularly review the access control mechanisms to prevent unauthorized access to sensitive information or functionality.

4. Secure Handling of Sensitive Data: The application interacts with various external programs and services to gather system information. Ensure that any sensitive data, such as credentials or API keys, are properly secured and not exposed in the application's logs or responses.

5. Hardcoded Paths and Configuration: While the changes include some improvements, such as the use of the getIso8601Date() method, there are still some instances of hardcoded paths and configuration values. Consider making these more configurable to improve the application's maintainability and security.

Overall, the changes appear to be focused on improving the functionality and robustness of the Jans Config API application. By addressing the security considerations outlined above, the application's security posture can be further strengthened and the risk of potential vulnerabilities can be reduced.

Files Changed:

1. ApiConstants.java: The changes introduce a new constant for a /service-status endpoint, which should be reviewed for proper implementation of security controls.
2. CustomScriptResource.java: The changes address the handling of custom scripts with a FILE location type, which is a positive security enhancement.
3. ApiHealthCheck.java: The changes include the addition of a new /health/service-status endpoint, which should be carefully reviewed for potential sensitive information exposure and proper access control.
4. server-stat.json: The new JSON file contains potentially sensitive server information, and its access should be properly restricted.
5. TokenService.java: The changes improve the handling of token-related operations, which is a security-sensitive area that requires ongoing review and monitoring.
6. StatusCheckerTimer.java: The changes introduce the execution of external programs to gather system information, which should be reviewed for potential command injection vulnerabilities and secure handling of any sensitive data.
7. service-status.json: The new JSON file represents the status of various services, and its access should be properly controlled to prevent information disclosure.
8. DataUtil.java: The changes improve the handling of date and integer data types, which is a positive security enhancement.
9. jans-config-api-swagger.yaml: The changes include the addition of example responses for the health monitoring and service status endpoints, which should be reviewed for potential security implications.

Code Analysis

We ran 9 analyzers against 9 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	4 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarcloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud