Review the application.yaml. Refactor the configuration so there are no default values for application properties that are sensitive. One idea discussed was to move the security config to a new test profile config in the pass-core-main/src/test/resources that the unit integration tests can use. This will also include moving the sp resources to the test resources dir, and will change config in pass-docker. Some analysis and experimentation will be needed.
In the end, with whatever configuration change is made, it should be as easy as possible to start pass-core locally.
pass-support:
Review all application.properties files in all modules. Remove any sensitive default values. Any present should be able to be removed since they are already set for unit/integration tests.
pass-docker:
Review documentation ensure there is clear text warning that the local env should not be used for production use.
pass-ui:
Review for any config properties with default values.
Acceptance Criteria
There are no default values for sensitive application properties
What?
To improve security, we have decided to remove default values from sensitive application properties.
Why?
To improve security, so someone doesn't start a pass component using default application properties that set credentials/authentication keys/config.
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
How?
pass-core:
Review the application.yaml. Refactor the configuration so there are no default values for application properties that are sensitive. One idea discussed was to move the security config to a new test profile config in the pass-core-main/src/test/resources that the unit integration tests can use. This will also include moving the sp resources to the test resources dir, and will change config in pass-docker. Some analysis and experimentation will be needed.
In the end, with whatever configuration change is made, it should be as easy as possible to start pass-core locally.
pass-support:
Review all application.properties files in all modules. Remove any sensitive default values. Any present should be able to be removed since they are already set for unit/integration tests.
pass-docker:
Review documentation ensure there is clear text warning that the local env should not be used for production use.
pass-ui:
Review for any config properties with default values.
Acceptance Criteria
There are no default values for sensitive application properties