github-advanced-security[bot] commented on code in PR #680:
URL: https://github.com/apache/syncope/pull/680#discussion_r1560786893
##########
core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/PolicyDataBinderImpl.java:
##########
@@ -85,13 +85,12 @@
protected <T extends Policy> T getPolicy(final T policy, final PolicyTO
policyTO) {
T result = policy;
- if (policyTO instanceof PasswordPolicyTO) {
+ if (policyTO instanceof PasswordPolicyTO passwordPolicyTO) {
Review Comment:
## Chain of 'instanceof' tests
This if block performs a chain of 9 type tests - consider alternatives, e.g.
polymorphism or the visitor pattern.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1545)
##########
core/provisioning-java/src/test/java/org/apache/syncope/core/provisioning/java/cache/VirAttrCacheKeyTest.java:
##########
@@ -16,25 +16,24 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.syncope.core.provisioning.api.cache;
+package org.apache.syncope.core.provisioning.java.cache;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
-import org.apache.syncope.core.provisioning.api.AbstractTest;
import org.junit.jupiter.api.Test;
-public class VirAttrCacheKeyTest extends AbstractTest {
+public class VirAttrCacheKeyTest {
@Test
public void test() {
String type = "type";
String key = "key";
String virSchema = "virSchema";
- VirAttrCacheKey cacheKey = new VirAttrCacheKey(type, key, virSchema);
- VirAttrCacheKey cacheKey2 = new VirAttrCacheKey(type, key, virSchema);
- VirAttrCacheKey cacheKey3 = new VirAttrCacheKey(type,
String.format(type, "3"), String.format(virSchema, "3"));
+ VirAttrCacheKey cacheKey = VirAttrCacheKey.of(type, key, virSchema);
+ VirAttrCacheKey cacheKey2 = VirAttrCacheKey.of(type, key, virSchema);
+ VirAttrCacheKey cacheKey3 = VirAttrCacheKey.of(type,
String.format(type, "3"), String.format(virSchema, "3"));
Review Comment:
## Unused format argument
This format call refers to 0 argument(s) but supplies 1 argument(s).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1548)
##########
core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/PersistenceContext.java:
##########
@@ -1194,27 +1383,46 @@
return new Neo4jTaskExecDAO(taskDAO, taskUtilsFactory, neo4jTemplate,
neo4jClient, nodeValidator);
}
+ @ConditionalOnMissingBean(name = UserRepoExt.CACHE)
+ @Bean(name = UserRepoExt.CACHE)
+ public Cache<EntityCacheKey, Neo4jUser> userCache(final CacheManager
cacheManager) {
+ return cacheManager.createCache(UserRepoExt.CACHE,
+ new MutableConfiguration<EntityCacheKey, Neo4jUser>().
+ setTypes(EntityCacheKey.class, Neo4jUser.class).
+ setStoreByValue(false).
+ setReadThrough(true).
+
setExpiryPolicyFactory(TouchedExpiryPolicy.factoryOf(Duration.ZERO)));
+ }
+
@ConditionalOnMissingBean
@Bean
public UserRepoExt userRepoExt(
final SecurityProperties securityProperties,
final AnyUtilsFactory anyUtilsFactory,
+ final @Lazy AnyTypeDAO anyTypeDAO,
+ final @Lazy AnyTypeClassDAO anyTypeClassDAO,
final @Lazy PlainSchemaDAO plainSchemaDAO,
final @Lazy DerSchemaDAO derSchemaDAO,
+ final @Lazy VirSchemaDAO virSchemaDAO,
final @Lazy DynRealmDAO dynRealmDAO,
+ final @Lazy AnyTypeClassRepoExt anyTypeClassRepoExt,
Review Comment:
## Useless parameter
The parameter 'anyTypeClassRepoExt' is never used.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1550)
##########
core/spring/src/test/java/org/apache/syncope/core/spring/security/jws/AbstractTest.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.security.jws;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.ECDSASigner;
+import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.ECKey;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.KeyUse;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Date;
+import java.util.UUID;
+
+abstract class AbstractTest {
+
+ protected static final String TENANT_ID = "test-tenant-id";
+
+ protected static final String APP_ID = "test-app-id";
+
+ protected static String createSignedJWT(final JWK jwk) throws
JOSEException {
+ // Create JWT header
+ JWSHeader header = new JWSHeader.Builder((JWSAlgorithm)
jwk.getAlgorithm())
+ .type(JOSEObjectType.JWT)
+ .keyID(jwk.getKeyID())
+ .build();
+
+ // Create JWT payload
+ JWTClaimsSet payload = new JWTClaimsSet.Builder()
+ .issuer(TENANT_ID)
+ .audience(APP_ID)
+ .build();
+
+ // Create signed JWT
+ SignedJWT signedJWT = new SignedJWT(header, payload);
+
+ JWSSigner signer = jwk.getAlgorithm() == JWSAlgorithm.RS256
+ ? new RSASSASigner(jwk.toRSAKey())
+ : new ECDSASigner(jwk.toECKey());
+
+ signedJWT.sign(signer);
+ return signedJWT.serialize();
+ }
+
+ protected static JWK generateJWKRSA() throws NoSuchAlgorithmException {
+ KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
+ gen.initialize(2048);
+ KeyPair keyPair = gen.generateKeyPair();
+
+ // Convert to JWK format
+ return new RSAKey.Builder((RSAPublicKey) keyPair.getPublic())
+ .privateKey((RSAPrivateKey) keyPair.getPrivate())
+ .keyUse(KeyUse.SIGNATURE)
+ .algorithm(JWSAlgorithm.RS256)
+ .keyID(UUID.randomUUID().toString())
+ .issueTime(new Date())
+ .build();
+ }
+
+ protected static JWK generateJWKEC() throws NoSuchAlgorithmException,
InvalidAlgorithmParameterException {
+ // Generate EC key pair with P-256 curve
+ KeyPairGenerator gen = KeyPairGenerator.getInstance("EC");
Review Comment:
## Use of a potentially broken or risky cryptographic algorithm
Cryptographic algorithm [EC](1) may not be secure, consider using a
different algorithm.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1553)
##########
core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/PersistenceContext.java:
##########
@@ -778,28 +867,47 @@
return neo4jRepositoryFactory.getRepository(FIQLQueryRepo.class,
fiqlQueryRepoExt);
}
+ @ConditionalOnMissingBean(name = GroupRepoExt.CACHE)
+ @Bean(name = GroupRepoExt.CACHE)
+ public Cache<EntityCacheKey, Neo4jGroup> groupCache(final CacheManager
cacheManager) {
+ return cacheManager.createCache(GroupRepoExt.CACHE,
+ new MutableConfiguration<EntityCacheKey, Neo4jGroup>().
+ setTypes(EntityCacheKey.class, Neo4jGroup.class).
+ setStoreByValue(false).
+ setReadThrough(true).
+
setExpiryPolicyFactory(TouchedExpiryPolicy.factoryOf(Duration.ZERO)));
+ }
+
@ConditionalOnMissingBean
@Bean
public GroupRepoExt groupRepoExt(
final ApplicationEventPublisher publisher,
final AnyUtilsFactory anyUtilsFactory,
+ final @Lazy AnyTypeDAO anyTypeDAO,
+ final @Lazy AnyTypeClassDAO anyTypeClassDAO,
final @Lazy PlainSchemaDAO plainSchemaDAO,
final @Lazy DerSchemaDAO derSchemaDAO,
+ final @Lazy VirSchemaDAO virSchemaDAO,
final @Lazy DynRealmDAO dynRealmDAO,
+ final @Lazy AnyTypeClassRepoExt anyTypeClassRepoExt,
Review Comment:
## Useless parameter
The parameter 'anyTypeClassRepoExt' is never used.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1551)
##########
fit/core-reference/src/test/java/org/apache/syncope/fit/core/PullTaskITCase.java:
##########
@@ -238,29 +256,16 @@
// Attemp to reset CSV content
Properties props = new Properties();
- InputStream propStream = null;
- InputStream srcStream = null;
- OutputStream dstStream = null;
- try {
- propStream = getClass().getResourceAsStream("/test.properties");
+ try (InputStream propStream =
getClass().getResourceAsStream("/test.properties")) {
Review Comment:
## Unsafe use of getResource
The idiom getClass().getResource() is unsafe for classes that may be
extended.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1552)
##########
core/provisioning-java/src/test/java/org/apache/syncope/core/provisioning/java/cache/VirAttrCacheKeyTest.java:
##########
@@ -16,25 +16,24 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.syncope.core.provisioning.api.cache;
+package org.apache.syncope.core.provisioning.java.cache;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
-import org.apache.syncope.core.provisioning.api.AbstractTest;
import org.junit.jupiter.api.Test;
-public class VirAttrCacheKeyTest extends AbstractTest {
+public class VirAttrCacheKeyTest {
@Test
public void test() {
String type = "type";
String key = "key";
String virSchema = "virSchema";
- VirAttrCacheKey cacheKey = new VirAttrCacheKey(type, key, virSchema);
- VirAttrCacheKey cacheKey2 = new VirAttrCacheKey(type, key, virSchema);
- VirAttrCacheKey cacheKey3 = new VirAttrCacheKey(type,
String.format(type, "3"), String.format(virSchema, "3"));
+ VirAttrCacheKey cacheKey = VirAttrCacheKey.of(type, key, virSchema);
+ VirAttrCacheKey cacheKey2 = VirAttrCacheKey.of(type, key, virSchema);
+ VirAttrCacheKey cacheKey3 = VirAttrCacheKey.of(type,
String.format(type, "3"), String.format(virSchema, "3"));
Review Comment:
## Unused format argument
This format call refers to 0 argument(s) but supplies 1 argument(s).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1549)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@syncope.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
