Giter Site home page Giter Site logo

gandalf's Introduction

PROD- Build, push, and deploy

Gandalf

Is a Security Token Service (STS) a standard component in security architectures to realize operations such as authentication, identity mapping, token validation and conversion. The concept of an STS comes from the OASIS specification WS-Trust which describes a secure model for establishing, managing and evaluating "trust" relationships between applications. The security model is mainly based on 3 players: consumer, provider and a Security Token Service (STS) where the STS is the most central player as it issues tokens that all providers can trust.

About

This STS is available in FSS, users are authenticated to on-prem Active Directory.
This STS does not perform any additional access control or role checks.
The service definitions are based on specifications in these references:
The OAuth 2.0 Authorization Framework
Starting point for .well-known endpoint

Ingress

Test: https://security-token-service-t4.nais.preprod.local
Development: https://security-token-service.nais.preprod.local
Prod: https://security-token-service.nais.adeo.no

Developers

For local Development https://security-token-service.dev.adeo.no is exposed in naisdevice

Openapi

/api

Identity Provider Metadata

Type Endpoint
Retrieve public keys for validating the oidc token issued by STS /jwks
Configuration info /.well-known/openid-configuration

Overview of token issuance and token conversions on REST interface

From To Endpoint Extra
client_credentials OIDC /rest/v1/sts/token
client_credentials OIDC /rest/v1/sts/token2 For Stormaskin
client_credentials SAML /rest/v1/sts/samltoken
OIDC (Issued by TokenX, This STS, AzureAD) SAML /rest/v1/sts/token/exchange
SAML token (Issued by STS(Datapower) or This STS) OIDC /rest/v1/sts/token/exchange

Example Request. For more info check out: ../api

../rest/v1/sts/token

Issue System OIDC

You send: Your srvUser credentials i Authorization header
You get: An OIDC-Token with which you can make further actions.

Request:

POST /rest/v1/sts/token 
HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic aGVsbG86eW91

grant_type=client_credentials&
scope=openid

Successful Response:

HTTP/1.1 200 OK
Content-Type: application/json
{
   "access_token": "eY........",
   "token_type": "Bearer",
   "expires_in": 3600
}

The validity period of the token is specified in seconds. The OIDC token is a B64 URL-encoded JWT.

Failed Response:

HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
    "error": "invalid_client",
    "error_description": "Unauthorised: Full authentication is required to access this resource"
}
HTTP/1.1 400 BadRequest
Content-Type: application/json
{
    "error": "invalid_request",
    "error_description": "Some message"
}

Issue OIDC token based on SAML token

...rest/v1/sts/token/exchange

The service validates the received SAML token, generates a new OIDC token with content retrieved from the SAML token.

Request:

POST /rest/v1/sts/token/exchange 
HTTP/1.1
Accept: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: Basic aGVsbG86eW91

grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
requested_token_type=urn:ietf:params:oauth:token-type:access_token&
subject_token_type=urn:ietf:params:oauth:token-type:saml2&
subject_token=BASE64URL encoded SAML token

Successful Response:

HTTP/1.1 200 OK
Content-Type: application/json

{
   "access_token": "eY........",
   "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
   "token_type": "Bearer",
   "expires_in": "30 sek more then expiry for SAML-tokenet"
}

Failed Response:

HTTP/1.1 400 BadRequest
Content-Type: application/json
{
    "error": "invalid_request",
    "error_description": "Some message"
}

The validity period of the token is specified in seconds. The OIDC token is a B64 URL-encoded JWT.

Issue SAML token based on OIDC token

...rest/v1/sts/token/exchange

Request:

POST /rest/v1/sts/token/exchange 
HTTP/1.1
Accept: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: Basic aGVsbG86eW91

grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
requested_token_type=urn:ietf:params:oauth:token-type:saml2&
subject_token_type=urn:ietf:params:oauth:token-type:access_token&
subject_token=BASE64URL encoded OIDC token

Successful Response:

HTTP/1.1 200 OK
Content-Type: application/json
{
   "access_token": "eY........",
   "issued_token_type": "urn:ietf:params:oauth:token-type:saml2",
   "token_type": "Bearer",
   "expires_in": "expiry for SAML-token"
}

Failed Response:

HTTP/1.1 400 BadRequest
Content-Type: application/json
{
    "error": "invalid_request",
    "error_description": "Some message"
}

To Run

Run GandalfApplicationLocal in test/kotlin/no/nav/gandalf
Runnable endpoints:
/rest/v1/sts/token
/rest/v1/sts/token2
/rest/v1/sts/token/exchange
/rest/v1/sts/samltoken
/.well-known/openid-configuration
/jwks

Tools n stuff

  • Kotlin
  • Nimbus
  • Snyk
  • Spring Boot

Contact

Plattformsikkerhet: [email protected] ++
Slack: #pig_sikkerhet

TODO

  • Add more endpoints to be run local testing
  • Expose dev.adeo.no for local development
  • Describe the Swagger Objects and values
  • Refactoring of code for better readability

gandalf's People

Contributors

ybelmekk avatar dependabot[bot] avatar tommytroen avatar tronghn avatar jksolbakken avatar

Watchers

Truls Jørgensen avatar James Cloos avatar Nicklas Utgaard avatar avatar Henning Ivan Solberg avatar Dag Raaum avatar Nabil Fario avatar avatar

gandalf's Issues

org.hibernate.StaleStateException - When trying to delete same object.

Error thrown, the cause could be that 2 processes try to delete the same item in the database.

Error: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1; statement executed: HikariProxyPreparedStatement@144036609 wrapping oracle.jdbc.driver.OraclePreparedStatementWrapper@4b582540; nested exception is org.hibernate.StaleStateException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1; statement executed: HikariProxyPreparedStatement@144036609 wrapping oracle.jdbc.driver.OraclePreparedStatementWrapper@4b582540

Is solved by locking in old code, but seems that this issue is still. Need to investigate prosibililty to prevent this form happening again.

Stacktrace 30 more days.

Mapping av OIDC authLevel (acr) til SAML authLevel

I PSELV (Din pensjon) har vi integrasjon mot Soap-APIet til bl.a. DKIF.
OIDC-token veksles til SAML-token via REST-STS (gandalf).
DKIF-kallet fungerer i FSS, men ikke i SBS.
Problemet er at DKIF krever at authenticationLevel i SAML-tokenet må være et tall, mens verdien som brukes er "Level4".
Derfor ønskes følgende kodeendring i gandalf:
I AccessTokenIssuer.kt endre

samlObj.authenticationLevel = oidcObj.authLevel

til

samlObj.authenticationLevel = getAuthenticationLevel(oidcObj)

og følgende funksjon legges til:

    fun getAuthenticationLevel(oidcObj: OidcObject): String {
        return when {
            oidcObj.authLevel.equals("Level3") -> "3"
            oidcObj.authLevel.equals("Level4") -> "4"
            else -> DEFAULT_SAML_AUTHLEVEL
        }
    }

Unable to run application locally in development, openid-configuration provides the wrong urls for automatic configuration

Unable to set up and run application locally for testing when using STS with provided ingress for developers: https://security-token-service.dev.adeo.no/.well-known/openid-configuration.

Problem:
When configuring an application to use STS for with issuer-url https://security-token-service.dev.adeo.no configuration is resolved from the openid-configuration page.
This page contains links that points to preprod.local, making spring fail when trying to fetch the JWKs which are available at https://security-token-service.dev.adeo.no/jwks.

Please see the attached image
image

OIDC til SAML for EksternBruker

Endringsønske for å håndtere eksterne brukere når OIDC-token veksles til SAML-token:

I AccessTokenIssuer.kt bytt ut funksjonen getIdentType (linje 317–327) med:

        fun getIdentType(subject: String): String {
            if (subject.toLowerCase().startsWith("srv")) {
                return IdentType.SYSTEMRESSURS.value
            }
            return when {
                subject.length == 9 && subject.matches("[0-9]+".toRegex()) -> {
                    IdentType.SAMHANDLER.value
                }
                subject.length == 11 && subject.matches("[0-9]+".toRegex()) -> {
                    IdentType.EKSTERNBRUKER.value
                }
                else -> IdentType.INTERNBRUKER.value
            }
        }

Enhetstester:
Legg til i AccessTokenIssuerTest.kt:

    @Test
    fun `IdentType shall be EksternBruker when subject is 11-digit number`() {
        // 11-digit number is regarded as fødselsnummer or D-nummer
        val identType = AccessTokenIssuer.getIdentType("01020312345")
        assertEquals("EksternBruker", identType)
    }

    @Test
    fun `IdentType shall be InternBruker when subject is in Azure format`() {
        val identType = AccessTokenIssuer.getIdentType("0ApKqeByt-Y8qyG2Z_SKotwqx4L65elFIjqSCbb5P2s")
        assertEquals("InternBruker", identType)
    }

    @Test
    fun `IdentType shall be Samhandler when subject is 9-digit number`() {
        // 9-digit number is regarded as organisasjonsnummer
        val identType = AccessTokenIssuer.getIdentType("123456789")
        assertEquals("Samhandler", identType)
    }

    @Test
    fun `IdentType shall be Systemressurs when subject starts with srv`() {
        val identType = AccessTokenIssuer.getIdentType("srvfoo")
        assertEquals("Systemressurs", identType)
    }

Fix vulnerabilities

According to our own tooling, this app is one of the apps with the highest vulnerability-scores out there.

ss-2023-11-20-19 18 06

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.