Security Implementation for Swan Lake

[ldclakmal]

Important Links

• Dashboard: https://ldclakmal.me/ballerina-security
• Area/Security Issues: https://ldclakmal.me/ballerina-security/issues/

Proposed Designs:

• Design of Ballerina Authentication & Authorization Framework - Swan Lake Version
  https://docs.google.com/document/d/1dGw5uUP6kqZNTwMfQ_Ik-k0HTMKhX70XpEA3tys9_kk/edit?usp=sharing
• Re-Design of Ballerina SecureSocket API - Swan Lake Version
  https://docs.google.com/document/d/1Y2kLTOw9-sRK1vSEzw5NYdWSA4nwVCvPf3wrbwNDA4s/edit?usp=sharing
• [Review] Ballerina Security APIs of StdLib PCMs https://docs.google.com/document/d/16r_gjBi7SIqVffKVLtKGBevHQRxp7Fnoo9ELyIWV1BM/edit?usp=sharing

---

Swan Lake Alpha

ballerina/auth

• Update and refactor ballerina/auth module APIs Update and refactor ballerina/auth module APIs with Swan Lake design #715

ballerina/jwt

• Update and refactor ballerina/jwt module APIs Update and refactor ballerina/jwt module APIs with Swan Lake design #716

ballerina/oauth2

• Update and refactor ballerina/oauth2 module APIs Update and refactor ballerina/oauth2 module APIs with Swan Lake design #717
• Add support to add optional parameters in OAuth2 introspection request Add support to add optional parameters in OAuth2 introspection request #23
• Add support to read custom fields of OAuth2 introspection response Add support to read custom fields of OAuth2 introspection response #16
• oauth2:OutboundOAuth2Provider is not renewing access token when downstream web API returns 403 oauth2:OutboundOAuth2Provider is not renewing access token when downstream web API returns 403 #17

ballerina/ldap

• Remove ballerina/ldap module by moving implementation to ballerina/auth module Remove ballerina/ldap module by moving implementation to ballerina/auth module #718

ballerina/http

• Implement imperative auth design for ballerina/http module Implement imperative auth design for ballerina/http module #752
• Implement declarative auth design for ballerina/http module Implement declarative auth design for ballerina/http module #813
• Align stdlib annotations with spec Align stdlib annotations with spec #74
• Improve Ballerina authn & authz configurations Improve Ballerina authn & authz configurations #63
• Add support to provide a custom claim name as authorization claim field Add support to provide a custom claim name as authorization claim field #553

Common

• Revisit security related BBEs with all the supported features Revisit security related BBEs with all the supported features #60

---

Swan Lake Beta

Common

• Improve error messages and log messages of security modules Improve error messages and log messages of security modules #1242

ballerina/http

• Error while trying to authorize the request when scopes filed is not configured Error while trying to authorize the request when scopes filed is not configured #972
• Append auth provider error message to http:Unauthorized and http:Forbidden response types Append auth provider error message to http:Unauthorized response type #974
• Replace ballerina/reflect API usages in ballerina/http module Replace ballerina/reflect API usages in ballerina/http module #1012
• Extend listener auth handler APIs for http:Headers class Extend listener auth handler APIs for http:Headers class #1013
• Update SecureSocket API of HTTP Update SecureSocket API of HTTP #917

ballerina/auth

• Enable basic auth file user store support Enable basic auth file user store support #862
• Update SecureSocket API of LDAP Update SecureSocket API of LDAP #1215
• Remove encrypted and hashed password support Remove encrypted and hashed password support #1214
• Improve ballerina/auth test coverage Improve ballerina/auth test coverage #1011

ballerina/jwt

• Split JWT validation API for 2 APIs Split JWT validation API for 2 APIs #1213
• Replace base64 URL encode/decode APIs Replace base64 URL encode/decode APIs #1212
• Extend private key/public cert support for JWT signature generation/validation Extend private key/public cert support for JWT signature generation/validation #822
• Improve SSL configurations in JDK11 HTTP client used for auth modules Improve SSL configurations in JDK11 HTTP client used for auth modules  #936
• Add jti claim as a user input for JWT generation Add jti claim as a user input for JWT generation #1210
• Improve ballerina/jwt test coverage Improve ballerina/jwt test coverage #1010

ballerina/oauth2

• JDK11 HTTP client used for OAuth2 introspection should support OAuth2 client authentication JDK11 HTTP client used for OAuth2 authorization endpoint should support OAuth2 client authentication #935
• Improve SSL configurations in JDK11 HTTP client used for auth modules Improve SSL configurations in JDK11 HTTP client used for auth modules  #936
• Improve the logic of extracting refresh_token from the authorization endpoint response Improve the logic of extracting refresh_token from the token endpoint response #1206
• Improve ballerina/oauth2 test coverage Improve ballerina/oauth2 test coverage #1009

ballerina/ldap

• Move ballerina/ldap module to ballerina-attic

ballerina/crypto

• Add support for reading public/private keys from PEM files Add support for reading public/private keys from PEM files #67
• Improve private key decoding for PKCS8 format Improve private key decoding for PKCS8 format #1208
• Update and refactor ballerina/crypto module APIs Update and refactor ballerina/crypto module APIs #908
• Improve ballerina/crypto test coverage Improve ballerina/crypto test coverage #1297

ballerina/encoding

• Update and refactor ballerina/encoding module APIs Update and refactor ballerina/encoding module APIs #907

ballerina/websocket

• Add auth support for WebSocket clients Add Auth support for websocket clients #820

ballerina/graphql

• Implement declarative auth design for GraphQL module Implement declarative auth design for GraphQL module #1336

---

Swan Lake GA

Common

• Revisit security related APIs across all StdLibs Revisit security related APIs across all StdLibs #1066

ballerina/websocket

• Implement declarative auth design for server side [WebSocket] Implement declarative auth design for server side #1405
• Need to improve return of WebSocket server side auth errors Need to improve return of WebSocket server side auth errors #1230

ballerina/ftp

• Implement Security for FTP Implement Security for FTP #1438

[ldclakmal]

The mandatory issues for SwanLake Beta was done. The remaining issues are need to be prioritized with module owners. Starting with SwanLake Beta, this tracking effort is continued with the custom Dashboard [1]. Hence closing the issue.

[1] https://ldclakmal.me/ballerina-security/issues/