Skip to content

feat(flex-linux-setup): Admin UI and Cedarling integration#2407

Merged
duttarnab merged 5 commits intomainfrom
flex-linux-setup-cedarling-2399
Nov 5, 2025
Merged

feat(flex-linux-setup): Admin UI and Cedarling integration#2407
duttarnab merged 5 commits intomainfrom
flex-linux-setup-cedarling-2399

Conversation

@devrimyatar
Copy link
Contributor

@devrimyatar devrimyatar commented Nov 1, 2025
edited by coderabbitai bot
Loading

Closes #2399

Summary by CodeRabbit

  • New Features
    • Added admin UI policy store support with configurable store URL, path, and remote option.
    • Populated resource-scope mappings for granular admin UI access control (dashboard, license, settings, webhooks, clients, scopes) with READ/WRITE/DELETE levels.
    • Included trusted issuer entries and detailed token metadata/schema in the policy store for auth-related configuration.

@devrimyatar
feat(flex-linux-setup): Admin UI and Cedarling integration
8097f9f 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@devrimyatar devrimyatar added comp-flex-linux-setup Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Nov 1, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 1, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Adds Cedarling policy-store support to Admin UI setup: new policy-store template, admin UI config keys, LDIF resource-scope mappings, and install steps to render the policy store, set ownership, and import mappings during Admin UI installation.

Changes

Cohort / File(s) Summary
Setup integration
flex-linux-setup/flex_linux_setup/flex_setup.py		 Adds policy_store_path attribute pointing to templates/policy-store.json. Updates install_gluu_admin_ui to render the policy store into the Admin UI config dir, chown the directory to the Jetty user/group, and import adminUIResourceScopesMapping.ldif via DB utilities.
LDAP resource mappings
flex-linux-setup/flex_linux_setup/templates/adminUIResourceScopesMapping.ldif		 Adds many LDAP entries defining admin UI resource-to-scope mappings (dn/inum, jansAccessType, jansResource, jansScope, objectClass) for dashboard, license, settings, webhooks, clients, scopes, etc.
Admin UI configuration
flex-linux-setup/flex_linux_setup/templates/auiConfiguration.json		 Adds auiPolicyStoreUrl (""), auiDefaultPolicyStorePath (./custom/config/adminUI/policy-store.json), and useRemotePolicyStore (false) to the UI config.
Policy store template
flex-linux-setup/flex_linux_setup/templates/policy-store.json		 Introduces a detailed policy-store.json with a policy_stores collection, policies (base64 blobs), trusted_issuers, token metadata schemas, principal mappings, and default_entities.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Installer as flex_setup.install_gluu_admin_ui
    participant Templates as templates/
    participant FS as AdminUI config dir
    participant DB as dbUtils (LDAP/DB)

    rect rgb(222,235,247)
      Installer->>Templates: read policy-store.json template
      Installer->>FS: render policy-store.json -> ./custom/config/adminUI/policy-store.json
      Installer->>FS: chown ./custom/config/adminUI -> jetty:jetty
      Installer->>DB: import adminUIResourceScopesMapping.ldif
      DB-->>Installer: import result (success/failure)
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Areas to focus:
    • Path handling and file ownership (chown) in install_gluu_admin_ui
    • LDIF content structure (DNs, inum values, jansScope formats)
    • Validity and intended encoding/structure of entries in policy-store.json
    • dbUtils import error handling and idempotency

Possibly related issues

Poem

🐰
I hop and stash a tiny file,
Policies tucked in a neat little pile,
Scopes and DNs all in a row,
Jetty guards them soft and slow,
Cedarling hums — the Admin UI glows.

Pre-merge checks and finishing touches

✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(flex-linux-setup): Admin UI and Cedarling integration' accurately and specifically describes the main changes: integrating Cedarling with Admin UI in flex-linux-setup.
Linked Issues check ✅ Passed The pull request implements Cedarling integration for Admin UI as specified in #2399. Changes include policy store configuration, LDAP mappings, and adminUI config updates supporting this integration.
Out of Scope Changes check ✅ Passed All changes are within scope: policy store setup, LDAP resource-scopes mapping, and Admin UI configuration updates directly support the stated Cedarling integration objective.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch flex-linux-setup-cedarling-2399

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Nov 1, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1c3cc6b and 8097f9f.

📒 Files selected for processing (4)
  • flex-linux-setup/flex_linux_setup/flex_setup.py (2 hunks)
  • flex-linux-setup/flex_linux_setup/templates/adminUIResourceScopesMapping.ldif (1 hunks)
  • flex-linux-setup/flex_linux_setup/templates/auiConfiguration.json (1 hunks)
  • flex-linux-setup/flex_linux_setup/templates/policy-store.json (1 hunks)
🔇 Additional comments (6)
flex-linux-setup/flex_linux_setup/flex_setup.py (3)

327-327: LGTM!

The policy store path is correctly constructed relative to the templates directory.

572-574: Verify if renderTemplateInOut creates directories before rendering.

The implementation of renderTemplateInOut is in an external dependency (setup_app.installers.config_api), which is not available in this repository for inspection. However, the codebase shows an inconsistent pattern: at lines 625–627, explicit directory creation is performed before a chown operation, while lines 572–574 call renderTemplateInOut without explicit directory creation.

Since the external module implementation cannot be verified here, manually confirm whether renderTemplateInOut handles directory creation internally, or add an explicit check (matching the pattern at lines 625–627) to ensure robustness.

575-577: Let me verify the import sequence and whether the parent OU is created elsewhere:Based on my comprehensive verification, the review comment raises valid and critical concerns that are confirmed by the codebase examination:

Findings:

  1. The adminUIResourceScopesMapping.ldif file contains 40+ entries referencing ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans
  2. The parent organizational unit ou=adminUIResourceScopesMapping is never explicitly created in any LDIF file in the codebase
  3. The aui_webhook.ldif creates ou=admin-ui,o=jans and child OUs, but not ou=adminUIResourceScopesMapping
  4. The objectClass schema definition for adminUIResourceScopesMapping is not found in the codebase (likely expected to be pre-defined in the LDAP server)
  5. LDAP import will fail with "parent does not exist" error if the parent OU is not created before importing

The review comment is accurate and the concern is substantive.

Verify LDAP schema supports adminUIResourceScopesMapping objectClass.

The LDIF import at line 577 requires the parent DN ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans to exist before importing. The parent OU is not created in adminUIResourceScopesMapping.ldif or any other LDIF file in the codebase. Additionally, the objectClass schema definition is not present. Ensure the parent organizational unit is created in the proper sequence (e.g., add it to aui_webhook.ldif or appropriate setup initialization) and that the LDAP server has the adminUIResourceScopesMapping schema loaded.

flex-linux-setup/flex_linux_setup/templates/policy-store.json (2)

39-88: LGTM!

The trusted issuer configuration with token metadata for access_token, id_token, and userinfo_token is well-structured. The %(hostname)s placeholder will be correctly rendered by renderTemplateInOut in flex_setup.py line 573.

7-37: LGTM!

The policy definitions for admin and auditor roles are well-structured. The base64-encoded policy content follows Cedar policy language format, and the descriptions clearly indicate the authorization rules (e.g., admin can manage auth server configuration, auditor can manage system monitoring and clients).

flex-linux-setup/flex_linux_setup/templates/adminUIResourceScopesMapping.ldif (1)

1-595: No issues found with the LDIF file structure.

Verification confirmed that all 60 resource-scope mapping entries have unique inums with zero duplicates. The file is structurally sound and ready for LDAP import.

flex-linux-setup/flex_linux_setup/templates/policy-store.json
Comment on lines +1 to +2
{
"cedar_version": "4.4.0",
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Cedar version compatibility with Cedarling.

The policy store specifies cedar_version: "4.4.0". Ensure this version is compatible with the Cedarling integration in the Admin UI to avoid runtime policy evaluation errors.

🌐 Web query:

What version of Cedar policy language does Cedarling support?

💡 Result:

Cedarling supports Cedar policy language version v4.0.0. [1][2]

Sources:
[1] Janssen docs — Cedarling Policy Store (stable).
[2] Janssen docs — Cedarling Policy Store (v1.8.0 example).

Update cedar_version to match Cedarling support.

Cedarling supports Cedar policy language version v4.0.0, but the policy store specifies cedar_version: "4.4.0". This mismatch will cause runtime policy evaluation errors. Change line 2 to "cedar_version": "4.0.0".

🤖 Prompt for AI Agents 
In flex-linux-setup/flex_linux_setup/templates/policy-store.json around lines 1
to 2, the cedar_version is set to "4.4.0" but Cedarling supports v4.0.0; update
the value on line 2 to "4.0.0" so the policy store matches Cedarling's supported
Cedar policy language version.

@devrimyatar devrimyatar marked this pull request as draft November 2, 2025 10:05
@devrimyatar devrimyatar requested a review from duttarnab November 2, 2025 10:05
@devrimyatar
fix(flex-linux-setup): update policy-store.json
85c22a9 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@devrimyatar
fix(flex-linux-setup): update auiDefaultPolicyStorePath
dbda9a9 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@devrimyatar
fix(flex-linux-setup): typo
cfccdbe 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 3, 2025

Quality Gate Passed Quality Gate passed for 'flex_linux_setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@devrimyatar devrimyatar marked this pull request as ready for review November 4, 2025 18:08
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 4, 2025

Quality Gate Passed Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

coderabbitai[bot]
coderabbitai bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
flex-linux-setup/flex_linux_setup/templates/policy-store.json (1)

1-2: Cedar version compatibility issue persists.

The past review correctly identified that Cedarling supports Cedar policy language version v4.0.0, but Line 2 still specifies "cedar_version": "4.4.0". This version mismatch will cause runtime policy evaluation errors.

Apply this diff to fix:

-    "cedar_version": "4.4.0",
+    "cedar_version": "4.0.0",
📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8097f9f and 6b373e9.

📒 Files selected for processing (3)
  • flex-linux-setup/flex_linux_setup/flex_setup.py (2 hunks)
  • flex-linux-setup/flex_linux_setup/templates/auiConfiguration.json (1 hunks)
  • flex-linux-setup/flex_linux_setup/templates/policy-store.json (1 hunks)
🔇 Additional comments (3)
flex-linux-setup/flex_linux_setup/templates/auiConfiguration.json (1)

38-41: LGTM! Policy store configuration correctly integrated.

The new policy store configuration fields are properly structured:

  • auiDefaultPolicyStorePath correctly references ./custom/config/adminUI/policy-store.json, which matches the filename rendered by the installer in flex_setup.py (line 327 defines policy-store.json as the template name).
  • The remote vs. local policy store toggle is appropriately defaulted to local (useRemotePolicyStore: false).

This resolves the filename mismatch issue flagged in the previous review.

flex-linux-setup/flex_linux_setup/flex_setup.py (2)

327-327: LGTM! Policy store path correctly defined.

The policy_store_path attribute correctly points to policy-store.json, which matches the references in auiConfiguration.json (line 40) and ensures consistent naming throughout the cedarling integration.

571-574: LGTM! Policy store rendering and permissions properly handled.

The cedarling integration correctly:

  • Renders the policy store template into the Admin UI config directory
  • Sets appropriate ownership for the jetty user to access the policy store

flex-linux-setup/flex_linux_setup/flex_setup.py
Comment on lines +575 to +577
resource_scopes_mapping_lidf_fn = os.path.join(self.templates_dir, 'adminUIResourceScopesMapping.ldif')

self.dbUtils.import_ldif([resource_scopes_mapping_lidf_fn])
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix variable naming and add file existence check.

Two issues:

  1. Line 575: Variable name resource_scopes_mapping_lidf_fn contains a typo—should be ldif_fn (LDAP Data Interchange Format, not "lidf").
  2. Line 577: No check if the LDIF file exists before importing, which could cause a runtime error if the file is missing.

Apply this diff:

-        resource_scopes_mapping_lidf_fn = os.path.join(self.templates_dir, 'adminUIResourceScopesMapping.ldif')
+        resource_scopes_mapping_ldif_fn = os.path.join(self.templates_dir, 'adminUIResourceScopesMapping.ldif')
 
-        self.dbUtils.import_ldif([resource_scopes_mapping_lidf_fn])
+        if os.path.exists(resource_scopes_mapping_ldif_fn):
+            self.dbUtils.import_ldif([resource_scopes_mapping_ldif_fn])
+        else:
+            print(f"Warning: LDIF file not found: {resource_scopes_mapping_ldif_fn}")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
resource_scopes_mapping_lidf_fn = os.path.join(self.templates_dir, 'adminUIResourceScopesMapping.ldif')
self.dbUtils.import_ldif([resource_scopes_mapping_lidf_fn])
resource_scopes_mapping_ldif_fn = os.path.join(self.templates_dir, 'adminUIResourceScopesMapping.ldif')
if os.path.exists(resource_scopes_mapping_ldif_fn):
self.dbUtils.import_ldif([resource_scopes_mapping_ldif_fn])
else:
print(f"Warning: LDIF file not found: {resource_scopes_mapping_ldif_fn}")
🤖 Prompt for AI Agents 
In flex-linux-setup/flex_linux_setup/flex_setup.py around lines 575 to 577, the
variable name resource_scopes_mapping_lidf_fn has a typo (should be ldif_fn) and
there is no check that the LDIF file exists before importing; rename the
variable to resource_scopes_mapping_ldif_fn and before calling
self.dbUtils.import_ldif(...) verify the file exists with
os.path.exists(resource_scopes_mapping_ldif_fn) (or os.path.isfile) and handle
the missing file by logging an error and exiting or raising an exception so
import_ldif is only called with a valid path.

@duttarnab duttarnab merged commit f760fe5 into main Nov 5, 2025
9 of 11 checks passed
@duttarnab duttarnab deleted the flex-linux-setup-cedarling-2399 branch November 5, 2025 12:06
@coderabbitai coderabbitai bot mentioned this pull request Nov 5, 2025
Merged
@duttarnab duttarnab mentioned this pull request Nov 6, 2025
Closed
@coderabbitai coderabbitai bot mentioned this pull request Nov 6, 2025
Merged
@iromli iromli mentioned this pull request Nov 6, 2025
Closed
This was referenced Nov 7, 2025
Merged
Merged
Merged
This was referenced Nov 14, 2025
Merged
Merged
@coderabbitai coderabbitai bot mentioned this pull request Jan 11, 2026
Merged
@coderabbitai coderabbitai bot mentioned this pull request Jan 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@duttarnab duttarnab duttarnab approved these changes

Assignees

No one assigned

Labels

comp-flex-linux-setup Component affected by issue or PR kind-feature Issue or PR is a new feature request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(flex-linux-setup): changes in setup for Cedarling integration with Admin UI

2 participants

@devrimyatar @duttarnab