feat(flex-linux-setup): enable TLSv1.3 in java.security file

[devrimyatar]

Closes #2619

Summary by CodeRabbit

• New Features
  • TLS 1.3 security configuration is now automatically applied during installation of the Admin UI and Config API components.
  • New comprehensive Java security settings disable legacy SSL/TLS protocols (e.g., SSLv3, TLSv1/1.1) and weak cryptographic algorithms to enforce stronger encryption.

[coderabbitai]

Warning

Rate limit exceeded

@devrimyatar has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 21 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds TLS 1.3-related configuration: new java.security template, three new flex_installer attributes, and a tls13_settings() method that copies the java.security file into Jetty's security directory and ensures a -Djava.security.properties entry in Jetty's server.ini; tls13_settings() is invoked during relevant install steps.

Changes

Cohort / File(s)	Summary
Installer changes flex-linux-setup/flex_linux_setup/flex_setup.py	Added instance attributes java_security_fn, config_api_base_dir, java_security_dir; added tls13_settings() method that copies java.security into Jetty security dir and ensures -Djava.security.properties=./etc/jetty/security/java.security is present in start.d/server.ini. Method invoked after Gluu Admin UI and Config API plugin installs.
Java security template flex-linux-setup/flex_linux_setup/templates/java.security	New template file defining jdk.tls.disabledAlgorithms to disable legacy protocols and weak algorithms (SSLv3, TLSv1/TLSv1.1, RC4, DES, MD5withRSA, 3DES, various CBC and SHA-1 usages) to enable TLS 1.3-compatible settings.

Sequence Diagram(s)

sequenceDiagram
    participant GA as GluuAdminInstaller
    participant CA as ConfigAPIInstaller
    participant FI as flex_installer
    participant FS as FileSystem/Jetty

    GA->>FI: run post-install hooks
    FI->>FS: copy templates/java.security -> ./etc/jetty/security/java.security
    FI->>FS: ensure -Djava.security.properties entry in start.d/server.ini
    CA->>FI: run post-install hooks
    FI->>FS: (repeat) copy java.security and update server.ini

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• duttarnab

Poem

🐰
I hopped a path to Jetty's door,
I placed a file upon the floor.
Weak ciphers shooed, TLS3 rolls on,
A rabbit's patch — secure and strong. 🥕🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main change: enabling TLSv1.3 in the java.security file by disabling legacy/insecure protocols.
Linked Issues check	✅ Passed	The PR successfully implements both requirements from issue #2619: creates java.security with disabled algorithms config and adds JVM property to server.ini.
Out of Scope Changes check	✅ Passed	All changes are directly related to enabling TLSv1.3 support for the Config API; no out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch flex-linux-setup-enable-TLSv1.3-2619

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@flex-linux-setup/flex_linux_setup/flex_setup.py`:
- Line 677: The generated JVM property string in java_security_prop_line
currently inserts a space before and after '='; update the construction so there
are no spaces around '=', e.g. build java_security_prop_line by concatenating
java_security_prefix, the literal '=' and the path derived from
Path(self.java_security_dir).relative_to(self.config_api_base_dir).joinpath(os.path.basename(self.java_security_fn)).as_posix().
Ensure the change is applied where java_security_prop_line is defined so the
resulting token follows JVM syntax like
"-Djava.security.properties=./etc/jetty/security/java.security".
- Around line 686-690: The length check uses the wrong variable: change the
condition that currently checks len(ls) > 1 to check len(lsl) > 1 so we only
proceed when the split result (lsl) contains a key/value pair; update the branch
in the loop that sets config_api_server_ini_content_list[i] =
java_security_prop_line and write_fn = True (the block referencing lsl,
java_security_prefix, java_security_prop_line,
config_api_server_ini_content_list, and write_fn) to use len(lsl) > 1 instead of
len(ls).
- Line 681: The loop variable `l` in the statement `for i, l in
enumerate(config_api_server_ini_content_list[:])` is ambiguous; rename it to
`line` and update every usage of `l` inside that loop body to `line` (preserving
behavior), ensuring any references in methods or conditionals within the same
scope (e.g., string operations or replacements on the list element) are changed
as well so the code compiles and static analysis E741 is resolved.

In `@flex-linux-setup/flex_linux_setup/templates/java.security`:
- Around line 1-6: The jdk.tls.disabledAlgorithms property is malformed: remove
the blank line after the backslash so the continuation immediately follows the
previous backslash, correct the typo "HandshakeSigature" to
"HandshakeSignature", and delete the trailing "#" character so the value isn't
corrupted; ensure the continued lines for jdk.tls.disabledAlgorithms use a
backslash at the end of each continued line with no empty lines or stray
characters.

[sonarqubecloud]

Quality Gate passed for 'flex_linux_setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud