Skip to content

feat: common policy-based authorization cedarling module #14521#14522

Open
yurem wants to merge 100 commits into
mainfrom
jans-config-10757
Open

feat: common policy-based authorization cedarling module #14521#14522
yurem wants to merge 100 commits into
mainfrom
jans-config-10757

Conversation

@yurem

@yurem yurem commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Prepare


Description

Added common cedar code in jans-core.

Target issue

closes #14521
A new cedarling module that can be integrated into backend Java services for policy-based authorization

Implementation Details


Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

Closes #14523,

Summary by CodeRabbit

  • New Features
    • Added selectable API lock protection with protectionMode supporting Cedarling and configurable cedarlingConfiguration.
    • Introduced Cedarling-based authorization and automated policy downloading/loading, including Lock audit/telemetry permission checks.
  • Documentation
    • Updated OpenAPI/Swagger definitions for Cedarling configuration, permission/attribute access flags, and Lock audit/telemetry naming (camelCase).
  • Bug Fixes
    • Improved authorization logging when OAuth validation is enabled.
  • Tests
    • Added/expanded end-to-end and service-level Cedarling authorization, protection, and policy integration tests.

pujavs added 30 commits April 24, 2025 20:42
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
pujavs had a problem deploying to integration-tests July 14, 2026 17:16 — with GitHub Actions Failure
@pujavs
pujavs had a problem deploying to integration-tests July 14, 2026 17:16 — with GitHub Actions Failure

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
jans-config-api/server/src/main/java/io/jans/configapi/filters/AuthorizationFilter.java (1)

71-77: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Remove remaining verbose INFO logs.

The log.info statements on lines 71 and 76 were left behind from previous cleanups. They contain excessive formatting (\n\n\n and ======) and generate unnecessary noise on every unauthorized request. Please downgrade them to DEBUG or remove them entirely.

♻️ Proposed fix
-        log.info("\n\n\n AuthorizationFilter::filter() - Config Api OAuth Valdation Enabled");
         if (!isTokenBasedAuthentication(authorizationHeader)) {
             log.warn("AuthorizationFilter - token-based authorization required for {} {}", context.getMethod(),
                     info.getPath());
             abortWithUnauthorized(context, "ONLY TOKEN BASED AUTHORIZATION IS SUPPORTED!");
-            log.info("======ONLY TOKEN BASED AUTHORIZATION IS SUPPORTED======================");
             return;
         }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@jans-config-api/server/src/main/java/io/jans/configapi/filters/AuthorizationFilter.java`
around lines 71 - 77, Remove the two verbose INFO statements in
AuthorizationFilter.filter(), or downgrade them to DEBUG; preserve the existing
warning and unauthorized response behavior.
jans-core/cedarling/src/main/java/io/jans/core/cedarling/service/policy/PolicyDownloadService.java (1)

221-223: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Catch RuntimeException to prevent a ZIP bomb exception from breaking the reload process.

validateZip() throws an IllegalStateException (a RuntimeException) when the entry count is exceeded. Since this block only catches IOException, the IllegalStateException will propagate up, abort the reloadPolicies() loop (skipping any remaining policy sources), and potentially crash the application if triggered during startup initialization (initTime()).

Catch Exception or explicitly handle RuntimeException here to gracefully log the failure and continue processing other policy sources.

🛡️ Proposed fix
-		} catch (IOException ex) {
+		} catch (Exception ex) {
			log.error("Failed to execute load policies list from URI {}", policyStoreUri, ex);
		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@jans-core/cedarling/src/main/java/io/jans/core/cedarling/service/policy/PolicyDownloadService.java`
around lines 221 - 223, Update the exception handling in the policy-loading
block of PolicyDownloadService so RuntimeException from validateZip(), including
IllegalStateException, is caught alongside IOException. Log the failure through
the existing logger and allow reloadPolicies() to continue processing remaining
policy sources.
♻️ Duplicate comments (3)
jans-config-api/server/src/main/java/io/jans/configapi/security/service/CedarAuthorizationService.java (1)

54-56: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Wrong argument passed as method to cedarlingService.authorize.

Line 55 passes resourceInfo.toString() as the 4th argument, but CedarlingService.authorize expects the HTTP method string there. The method parameter is already available in processAuthorization's signature (line 44) but is never used. This means Cedarling receives the ResourceInfo object's toString() representation instead of the actual HTTP method (e.g., "GET", "POST"), causing authorization decisions to be evaluated against incorrect input.

🐛 Proposed fix
-        boolean isAuthorized = cedarlingService.authorize(token, issuer, resourceInfo, resourceInfo.toString(), path);
+        boolean isAuthorized = cedarlingService.authorize(token, issuer, resourceInfo, method, path);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@jans-config-api/server/src/main/java/io/jans/configapi/security/service/CedarAuthorizationService.java`
around lines 54 - 56, Update the authorize call in processAuthorization to pass
its existing method parameter as the fourth argument instead of
resourceInfo.toString(), preserving the remaining arguments and authorization
flow.
jans-core/cedarling/src/test/java/io/jans/core/cedarling/service/CedarlingProtectionServiceTest.java (1)

531-546: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not expose internal exception messages in HTTP responses.

This test locks in disclosure of arbitrary adapter, parser, or infrastructure errors to unauthenticated clients. Assert a generic error body instead and keep the detailed exception in server logs. Ensure the corresponding processAuthorization error handling returns a generic response to clients.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@jans-core/cedarling/src/test/java/io/jans/core/cedarling/service/CedarlingProtectionServiceTest.java`
around lines 531 - 546, Update unexpectedException_returns500 and the
corresponding processAuthorization error handling so internal exception messages
are not returned in HTTP responses. Assert a generic error body in the test
while preserving detailed exception logging on the server.
jans-config-api/server/src/main/java/io/jans/configapi/configuration/AppInitializer.java (1)

209-211: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Conflicting CDI scopes on producer method.

The getCedarlingConfiguration() producer method is annotated with both @Dependent and @ApplicationScoped. A bean or producer must define exactly one scope. To ensure the nullable configuration does not cause CDI proxy creation errors (which was the reason for adding @Dependent), remove the @ApplicationScoped annotation.

♻️ Proposed fix
     `@Produces`
     `@Dependent`
-    `@ApplicationScoped`
     public CedarlingConfiguration getCedarlingConfiguration() {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@jans-config-api/server/src/main/java/io/jans/configapi/configuration/AppInitializer.java`
around lines 209 - 211, Remove the conflicting `@ApplicationScoped` annotation
from the getCedarlingConfiguration() producer method, retaining `@Dependent` so
nullable configuration values do not require CDI proxy creation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@jans-config-api/server/src/main/java/io/jans/configapi/filters/AuthorizationFilter.java`:
- Around line 71-77: Remove the two verbose INFO statements in
AuthorizationFilter.filter(), or downgrade them to DEBUG; preserve the existing
warning and unauthorized response behavior.

In
`@jans-core/cedarling/src/main/java/io/jans/core/cedarling/service/policy/PolicyDownloadService.java`:
- Around line 221-223: Update the exception handling in the policy-loading block
of PolicyDownloadService so RuntimeException from validateZip(), including
IllegalStateException, is caught alongside IOException. Log the failure through
the existing logger and allow reloadPolicies() to continue processing remaining
policy sources.

---

Duplicate comments:
In
`@jans-config-api/server/src/main/java/io/jans/configapi/configuration/AppInitializer.java`:
- Around line 209-211: Remove the conflicting `@ApplicationScoped` annotation from
the getCedarlingConfiguration() producer method, retaining `@Dependent` so
nullable configuration values do not require CDI proxy creation.

In
`@jans-config-api/server/src/main/java/io/jans/configapi/security/service/CedarAuthorizationService.java`:
- Around line 54-56: Update the authorize call in processAuthorization to pass
its existing method parameter as the fourth argument instead of
resourceInfo.toString(), preserving the remaining arguments and authorization
flow.

In
`@jans-core/cedarling/src/test/java/io/jans/core/cedarling/service/CedarlingProtectionServiceTest.java`:
- Around line 531-546: Update unexpectedException_returns500 and the
corresponding processAuthorization error handling so internal exception messages
are not returned in HTTP responses. Assert a generic error body in the test
while preserving detailed exception logging on the server.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cb73af84-16b3-4aa5-8d8f-c722bf98a90d

📥 Commits

Reviewing files that changed from the base of the PR and between 7acbff1 and 39a4b3e.

📒 Files selected for processing (15)
  • jans-config-api/docs/jans-config-api-swagger.yaml
  • jans-config-api/plugins/docs/fido2-plugin-swagger.yaml
  • jans-config-api/profiles/default/config-api-test.properties
  • jans-config-api/profiles/jans-ui.jans.io/test.properties
  • jans-config-api/profiles/local/test.properties
  • jans-config-api/server/src/main/java/io/jans/configapi/configuration/AppInitializer.java
  • jans-config-api/server/src/main/java/io/jans/configapi/filters/AuthorizationFilter.java
  • jans-config-api/server/src/main/java/io/jans/configapi/security/service/CedarAuthorizationService.java
  • jans-core/cedarling/src/main/java/io/jans/core/cedarling/model/CedarlingConfiguration.java
  • jans-core/cedarling/src/main/java/io/jans/core/cedarling/model/PolicySource.java
  • jans-core/cedarling/src/main/java/io/jans/core/cedarling/service/filter/CedarlingAuthorizationProcessingFilter.java
  • jans-core/cedarling/src/main/java/io/jans/core/cedarling/service/policy/PolicyDownloadService.java
  • jans-core/cedarling/src/test/java/io/jans/core/cedarling/service/CedarlingAuthorizationServiceIntegrationTest.java
  • jans-core/cedarling/src/test/java/io/jans/core/cedarling/service/CedarlingProtectionServiceTest.java
  • jans-linux-setup/jans_setup/templates/jans-config-api/dynamic-conf.json
💤 Files with no reviewable changes (1)
  • jans-core/cedarling/src/main/java/io/jans/core/cedarling/service/filter/CedarlingAuthorizationProcessingFilter.java

@pujavs
pujavs had a problem deploying to integration-tests July 15, 2026 10:49 — with GitHub Actions Failure
@pujavs
pujavs had a problem deploying to integration-tests July 15, 2026 10:49 — with GitHub Actions Failure
Signed-off-by: pujavs <pujas.works@gmail.com>
@coderabbitai coderabbitai Bot added comp-jans-fido2 Component affected by issue or PR comp-jans-orm Component affected by issue or PR labels Jul 15, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@jans-config-api/server/src/main/java/io/jans/configapi/service/cedar/CedarlingService.java`:
- Around line 31-32: Update the context construction in CedarlingService to
avoid Map.of for potentially null method or issuer values by using a
null-tolerant mutable map, and convert
resourceInfo.getResourceMethod().getAnnotations() into a serializable list of
annotation string representations such as simple class names before storing it
under the existing mapping keys.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5a204654-4b08-4388-907d-aafea347bcfb

📥 Commits

Reviewing files that changed from the base of the PR and between 39a4b3e and 088e773.

📒 Files selected for processing (4)
  • jans-config-api/docs/jans-config-api-swagger.yaml
  • jans-config-api/plugins/docs/fido2-plugin-swagger.yaml
  • jans-config-api/server/src/main/java/io/jans/configapi/security/service/CedarAuthorizationService.java
  • jans-config-api/server/src/main/java/io/jans/configapi/service/cedar/CedarlingService.java

@pujavs

pujavs commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

https://github.com/coderabbitai review

Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
pujavs had a problem deploying to integration-tests July 15, 2026 12:37 — with GitHub Actions Failure
@pujavs
pujavs had a problem deploying to integration-tests July 15, 2026 12:37 — with GitHub Actions Failure
@pujavs

pujavs commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot removed comp-jans-orm Component affected by issue or PR comp-jans-fido2 Component affected by issue or PR labels Jul 15, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@jans-config-api/server/src/main/java/io/jans/configapi/service/cedar/CedarlingService.java`:
- Around line 32-42: Move the cedar_entity_mapping entry from context into the
resource payload used by CedarlingService, while keeping the existing method,
action, and issuer mapping unchanged. Leave the context argument empty when
invoking CedarlingAuthorizationService so its expected payload shape is
preserved.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 56d3ec24-6b30-4c11-830a-e37da5d621fe

📥 Commits

Reviewing files that changed from the base of the PR and between 088e773 and ed5e39a.

📒 Files selected for processing (3)
  • jans-config-api/docs/jans-config-api-swagger.yaml
  • jans-config-api/plugins/docs/fido2-plugin-swagger.yaml
  • jans-config-api/server/src/main/java/io/jans/configapi/service/cedar/CedarlingService.java

Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
pujavs had a problem deploying to integration-tests July 15, 2026 13:01 — with GitHub Actions Failure
@pujavs
pujavs had a problem deploying to integration-tests July 15, 2026 13:01 — with GitHub Actions Failure

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@jans-config-api/server/src/main/java/io/jans/configapi/service/cedar/CedarlingService.java`:
- Around line 27-28: Update the tokens map in CedarlingService to use
CedarlingAuthorizationService.CEDARLING_JANS_ACCESS_TOKEN instead of the literal
"ACCESS_TOKEN", while preserving the existing token value and authorization
flow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e6efa8d6-c2ac-4240-9c4e-4d5c793f6a13

📥 Commits

Reviewing files that changed from the base of the PR and between ed5e39a and 058dff7.

📒 Files selected for processing (3)
  • jans-config-api/docs/jans-config-api-swagger.yaml
  • jans-config-api/plugins/docs/fido2-plugin-swagger.yaml
  • jans-config-api/server/src/main/java/io/jans/configapi/service/cedar/CedarlingService.java

Signed-off-by: pujavs <pujas.works@gmail.com>
@pujavs
pujavs had a problem deploying to integration-tests July 18, 2026 11:32 — with GitHub Actions Failure
@pujavs
pujavs had a problem deploying to integration-tests July 18, 2026 11:32 — with GitHub Actions Failure
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp-docs Touching folder /docs comp-jans-cedarling Touching folder /jans-cedarling comp-jans-config-api Component affected by issue or PR comp-jans-core Component affected by issue or PR comp-jans-linux-setup Component affected by issue or PR kind-feature Issue or PR is a new feature request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: Jans config 10757 -autocreated feat(core): common, reusable policy-based authorization cedarling module

3 participants