{"id":14987857,"url":"https://github.com/apache/airavata-custos","last_synced_at":"2025-09-12T23:36:29.710Z","repository":{"id":37084061,"uuid":"170740248","full_name":"apache/airavata-custos","owner":"apache","description":"Apache Airavata Custos Security","archived":false,"fork":false,"pushed_at":"2025-05-22T13:20:55.000Z","size":31128,"stargazers_count":18,"open_issues_count":28,"forks_count":28,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-09-12T02:03:46.682Z","etag":null,"topics":["airavata","apache","authentication","authorization","oauth2","openidconnect","security"],"latest_commit_sha":null,"homepage":"https://airavata.apache.org/custos","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apache.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-02-14T18:41:17.000Z","updated_at":"2025-08-25T13:19:04.000Z","dependencies_parsed_at":"2024-01-17T04:07:56.413Z","dependency_job_id":"8d36672e-3237-4dd6-8eb4-be8ad4304a4b","html_url":"https://github.com/apache/airavata-custos","commit_stats":{"total_commits":552,"total_committers":11,"mean_commits":50.18181818181818,"dds":"0.27717391304347827","last_synced_commit":"c7ad339f006e4ffd9655b0e813406dc4358e87b8"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/apache/airavata-custos","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fairavata-custos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fairavata-custos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fairavata-custos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fairavata-custos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apache","download_url":"https://codeload.github.com/apache/airavata-custos/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fairavata-custos/sbom","scorecard":{"id":201257,"data":{"date":"2025-08-11","repo":{"name":"github.com/apache/airavata-custos","commit":"385466cd455444ca7c713faa76859dab6205d88f"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.6,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":2,"reason":"Found 7/27 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/apache/.github/.github/SECURITY.md:1","Info: Found linked content: github.com/apache/.github/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/apache/.github/.github/SECURITY.md:1","Info: Found text in security policy: github.com/apache/.github/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'","Warn: branch protection not enabled for branch 'develop'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: deployment/terraform/aws/modules/keycloak/resources/Dockerfile:20","Warn: containerImage not pinned by hash: deployment/terraform/aws/modules/keycloak/resources/Dockerfile:33: pin your Docker image by updating quay.io/keycloak/keycloak:20.0.3 to quay.io/keycloak/keycloak:20.0.3@sha256:b8f2a453a17a244a829fdafdb08dd77f719d3622bc3987c76a81771c0913b882","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 13 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"70 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw","Warn: Project is vulnerable to: GHSA-wg6g-ppvx-927h","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq","Warn: Project is vulnerable to: GHSA-r9p9-mrjm-926w","Warn: Project is vulnerable to: GHSA-434g-2637-qmqr","Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m","Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw","Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p","Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747","Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh","Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6","Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq","Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488","Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6","Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-g4rg-993r-mgx7","Warn: Project is vulnerable to: GHSA-vx3p-948g-6vhq","Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc","Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh","Warn: Project is vulnerable to: GHSA-496j-2rq6-j6cc","Warn: Project is vulnerable to: GHSA-6628-q6j9-w8vg","Warn: Project is vulnerable to: GHSA-9hxf-ppjv-w6rq","Warn: Project is vulnerable to: GHSA-cfgp-2977-2fmm","Warn: Project is vulnerable to: PYSEC-2022-48 / GHSA-77rm-9x9h-xj3g","Warn: Project is vulnerable to: GHSA-8gq9-2x98-w8hf","Warn: Project is vulnerable to: GHSA-8qvm-5x2c-j2w7","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: PYSEC-2021-108 / GHSA-q2q7-5pp4-w6pg","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: GHSA-55m3-44xf-hg4h","Warn: Project is vulnerable to: GHSA-gprj-3p75-f996","Warn: Project is vulnerable to: PYSEC-2022-206 / GHSA-r7v4-jwx9-wx43","Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf","Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5","Warn: Project is vulnerable to: PYSEC-2022-43012 / GHSA-r9hx-vwmv-q579","Warn: Project is vulnerable to: PYSEC-2022-43017 / GHSA-qwmp-2cf2-g9g6","Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm","Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3","Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx","Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6","Warn: Project is vulnerable to: GHSA-x574-m823-4x7w","Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8","Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x","Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4","Warn: Project is vulnerable to: GHSA-859w-5945-r5v3"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T22:53:16.772Z","repository_id":37084061,"created_at":"2025-08-16T22:53:16.772Z","updated_at":"2025-08-16T22:53:16.772Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274893353,"owners_count":25369300,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-12T02:00:09.324Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["airavata","apache","authentication","authorization","oauth2","openidconnect","security"],"created_at":"2024-09-24T14:15:35.237Z","updated_at":"2025-09-12T23:36:29.680Z","avatar_url":"https://github.com/apache.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!--\n    Licensed to the Apache Software Foundation (ASF) under one\n    or more contributor license agreements.  See the NOTICE file\n    distributed with this work for additional information\n    regarding copyright ownership.  The ASF licenses this file\n    to you under the Apache License, Version 2.0 (the\n    \"License\"); you may not use this file except in compliance\n    with the License.  You may obtain a copy of the License at\n\n      http://www.apache.org/licenses/LICENSE-2.0\n\n    Unless required by applicable law or agreed to in writing,\n    software distributed under the License is distributed on an\n    \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n    KIND, either express or implied.  See the License for the\n    specific language governing permissions and limitations\n    under the License.\n--\u003e\n\n# Apache Airavata Custos Security\n\n[![License](http://img.shields.io/badge/license-Apache--2-blue.svg?style=flat)](https://apache.org/licenses/LICENSE-2.0)\n[![GitHub closed pull requests](https://img.shields.io/github/issues-pr-closed/apache/airavata-custos)](https://github.com/apache/airavata-custos/pulls?q=is%3Apr+is%3Aclosed)\n[![Build Status](https://travis-ci.org/apache/airavata-custos.png?branch=develop)](https://travis-ci.org/github/apache/airavata-custos)\n\nScience gateways represent potential targets for cybersecurity threats to users, scientific research, and scientific resources. Custos is a software framework that provides common security operations for science gateways, including user identity and access management, gateway tenant profile management, resource secrets management, and groups and sharing management. The goals of the Custos project are to provide these services to a wide range of science gateway frameworks, providing the community with an open-source, transparent, and reviewed code base for common security operations; and to operate trustworthy security services for the science gateway community using this software base. To accomplish these goals, we implement Custos using a scalable microservice architecture that can provide highly available, fault-tolerant operations. Custos exposes these services through a language-independent Application Programming Interface that encapsulates science gateway usage scenarios.\n\n\nFollowing diagram illustrate the architecture of the Custos Software.\n\n\n![Custos_Diagram](Custos_Diagram.png)\n\n**To find out more, please check out the [Custos website](https://airavata.apache.org/custos/).**\n\n## Quickstart\n\n## Installation Instructions\n\n### Setup Custos for local development\n\n#### Prerequisites\n\n* Java 17\n\n* Docker installed on local environment \n\n* Maven 3.6.x\n\n#### Clone the repository\n```sh\ngit clone https://github.com/apache/airavata-custos.git\n```\n\n#### Start Docker Containers (to run a development environment)\nNavigate to `/compose`, and start the following containers:\n- Keycloack (http://localhost:8080)\n- Custos DB (MySQL, http://localhost:3306)\n- Vault (http://localhost:8200)\n- Adminer (http://localhost:18080)\n\n```sh\ndocker compose up -d\n```\n\n#### Configure Vault\n1. Go to the Vault's exposed port (http://localhost:8200) and walk through the configuration process. \n   2. You'll need to save your initial root token and unsealed key.\n2. Place your root token in `/application/src/main/resources/application.yml`, under `spring.cloud.vault.token`\n\n3. Install all dependencies through maven.\n   4. `mvn clean install`\n4. Run the CustosApplication class to bring up the backend.\n   5. `mvn spring-boot:run`\n5. Make a POST request to http://127.0.0.1:8081/api/v1/tenant-management/initialize (no headers, no body)\n6. Grab the client id and client secret from output on the backend.\n\n#### You're all set!\nYou can now make requests to Custos.\n\n## Custos Integration With External Applications\nCustos can be integrated with external applications using Custos REST Endpoints, Python SDK, or Java SDK.\n\n### Integrate Using Java SDK\nIn order to perform this operation you need to have a already activated tenant in either Custos Managed Services or Your own deployment.\nFollowing instructions are given for locally deployed custos setup which can be extended to any deployment,\n\n#### Initializing Custos Java SDK\n\n* Add maven dependency to your project\n```\n\u003cdependency\u003e\n   \u003cgroupId\u003eorg.apache.custos\u003c/groupId\u003e\n   \u003cartifactId\u003ecustos-java-sdk\u003c/artifactId\u003e\n   \u003cversion\u003e1.1-SNAPSHOT\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n* Initialize Custos Client Provider in your application\n```\n CustosClientProvider custosClientProvider = new CustosClientProvider.Builder().setServerHost(\"localhost\")\n                    .setServerPort(7000)\n                    .setClientId(CUSTOS CLIENT ID) // client Id generated from above step or any active tenant id\n                    .setClientSec(CUSTOS CLIENT SECRET)  \n                    .usePlainText(true) // Don't use this in production setup\n                    .build();\n```\nOnce above step is done, you can use custos available methods for  authentication and authorization purposes\n* Sample client code to register and enable a User\n\n```\n UserManagementClient userManagementClient =  custosClientProvider.getUserManagementClient();\n userManagementClient.registerUser(\"jhon\",\"Smith\",\"testpassword\",\"smith@1\",\n                    \"jhon@email.com\",false);\n userManagementClient.enableUser(\"jhon\");\n OperationStatus status =  userManagementClient.isUserEnabled(\"Jhon\");\n```\n##### \n### Deploy Custos on remote server\n\nFollow the Ansible based deployed instructions. see documentation [here](ansible/README.md)\n\n\n### Questions or need help?\nPlease create a github issue or subscribe to custos mailing list ```custos-subscribe@airavata.apache.org``` and send us an email.\n\n### Publications\n\n```\n@inproceedings{10.1145/3311790.3396635,\nauthor = {Ranawaka, Isuru and Marru, Suresh and Graham, Juleen and Bisht, Aarushi and Basney, Jim and Fleury, Terry and Gaynor, Jeff and Wannipurage, Dimuthu and Christie, Marcus and Mahmoud, Alexandru and Afgan, Enis and Pierce, Marlon},\ntitle = {Custos: Security Middleware for Science Gateways},\nyear = {2020},\nisbn = {9781450366892},\npublisher = {Association for Computing Machinery},\naddress = {New York, NY, USA},\nurl = {https://doi.org/10.1145/3311790.3396635},\ndoi = {10.1145/3311790.3396635},\nbooktitle = {Practice and Experience in Advanced Research Computing},\npages = {278–284},\nnumpages = {7},\nlocation = {Portland, OR, USA},\nseries = {PEARC '20}\n}\n```\n\n```\n@inproceedings{10.1145/3491418.3535177,\nauthor = {Ranawaka, Isuru and Goonasekara, Nuwan and Afgan, Enis and Basney, Jim and Marru, Suresh and Pierce, Marlon},\ntitle = {Custos Secrets: A Service for Managing User-Provided Resource Credential Secrets for Science Gateways},\nyear = {2022},\nisbn = {9781450391610},\npublisher = {Association for Computing Machinery},\naddress = {New York, NY, USA},\nurl = {https://doi.org/10.1145/3491418.3535177},\ndoi = {10.1145/3491418.3535177},\nbooktitle = {Practice and Experience in Advanced Research Computing},\narticleno = {40},\nnumpages = {4},\nlocation = {Boston, MA, USA},\nseries = {PEARC '22}\n}\n```\n\n### Acknowledgment\n\nWe are thankfull to National Science Foundation(NSF) for funding this project.\n\nWe are thankfull to  Trusted CI (https://www.trustedci.org/) for conducting the\nFirst Principles Vulnerability Assesment(FPVA) (https://dl.acm.org/doi/10.1145/1866835.1866852) for this software and providing the above architecture diagram and security improvements. \n`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fairavata-custos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapache%2Fairavata-custos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fairavata-custos/lists"}