ONYX-14324 - authn-jwt - enhance public key delivery mechanisms #2437
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
5 times, most recently
from
a260705 to
2ea3511
Compare
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
9b4be9c to
374288c
Compare
| [//]: # "2. Design documents should not be updated after implementation" | ||
| [//]: # "3. Design decisions should be made before writing this document, and as such this document should not include options / choices" | ||
|
|
||
|
|
There was a problem hiding this comment.
Multiple consecutive blank lines
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
bfe6313 to
1437409
Compare
16 tasks
|
|
||
| ```bash | ||
| conjur variable set -i conjur/authn-jwt/myUnreachableVendor/public-keys \ | ||
| "{ \"type\":\"jwks\", \"value\": $(curl https://www.googleapis.com/oauth2/v3/certs) }" |
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
23c302c to
a82e16d
Compare
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
a82e16d to
e7cc563
Compare
|
|
||
| | **Error message** | **Description** | | ||
| |-------------------|-----------------| | ||
| | Signing key configuration is invalid: JSON parsing error from JSON gem | When the variable value is not a valid JSON | |
| | **Error message** | **Description** | | ||
| |-------------------|-----------------| | ||
| | Signing key configuration is invalid: JSON parsing error from JSON gem | When the variable value is not a valid JSON | | ||
| | Signing key configuration is invalid: `public-keys` `type` field value is missing or empty | When type field absent or has empty value | |
| |-------------------|-----------------| | ||
| | Signing key configuration is invalid: JSON parsing error from JSON gem | When the variable value is not a valid JSON | | ||
| | Signing key configuration is invalid: `public-keys` `type` field value is missing or empty | When type field absent or has empty value | | ||
| | Signing key configuration is invalid: `public-keys` `type` field value {} is wrong | When type field value is no `jwks` | |
| | Signing key configuration is invalid: JSON parsing error from JSON gem | When the variable value is not a valid JSON | | ||
| | Signing key configuration is invalid: `public-keys` `type` field value is missing or empty | When type field absent or has empty value | | ||
| | Signing key configuration is invalid: `public-keys` `type` field value {} is wrong | When type field value is no `jwks` | | ||
| | Signing key configuration is invalid: `public-keys` `value` field is missing or empty | When value field absent or has empty value | |
| | S1 | 3 SP | | ||
| | S2 | 2 SP | | ||
| | S3 | 3 SP (without integration tests) | | ||
| | S4 | 2 SP (considering spike code [cyberark/conjur#2447](https://github.com/cyberark/conjur/pull/2447)) | |
|
|
||
| * `public-keys` - a variable contains static JWKS value for the case where Conjur | ||
| is unable to reach server hosts jwks/provider-uri. | ||
| <details> |
| supported. More types can be supported in future. | ||
| * `value` - the value of JWKS as is it's returned from unreachable jwks/provider-uri | ||
| endpoint. | ||
| <details><summary>JSON example</summary> |
| supported. More types can be supported in future. | ||
| * `value` - the value of JWKS as is it's returned from unreachable jwks/provider-uri | ||
| endpoint. | ||
| <details><summary>JSON example</summary> |
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
2eaa2e5 to
5cfcd06
Compare
| * `ca-cert` - a variable contains certificates bundle with additional CA certificates | ||
| conjur will trust when it | ||
| approaches jwks/provider uri. | ||
| <details> |
|
|
||
| The `ca-cert` variable format is a certificate bundle contains one or more certificates | ||
| in pem ([rfc7468](https://datatracker.ietf.org/doc/html/rfc7468)) format. | ||
| <details><summary>Bundle example</summary> |
|
|
||
| The `ca-cert` variable format is a certificate bundle contains one or more certificates | ||
| in pem ([rfc7468](https://datatracker.ietf.org/doc/html/rfc7468)) format. | ||
| <details><summary>Bundle example</summary> |
| requirements. | ||
|
|
||
| 1. Create abstraction layer for relevant Conjur variables from authenticator's BL | ||
| <details><div> |
| requirements. | ||
|
|
||
| 1. Create abstraction layer for relevant Conjur variables from authenticator's BL | ||
| <details><div> |
| * `signing_key`: String - returns `public-keys` variable value | ||
| * `ca_cert`: `OpenSSL::X509::Store`<br> | ||
| Store creation example | ||
| ```ruby |
There was a problem hiding this comment.
Fenced code blocks should be surrounded by blank lines
| </div></details> | ||
|
|
||
| 1. Add new properties to `SigningKeySettings` class | ||
| <details><div> |
| </div></details> | ||
|
|
||
| 1. Add new properties to `SigningKeySettings` class | ||
| <details><div> |
| Add new properties to the `SigningKeySettings` class: | ||
|
|
||
| * `signing_key`: String - returns `public-keys` variable value | ||
| * `ca_cert`: `OpenSSL::X509::Store`<br> |
| Store creation example | ||
| ```ruby | ||
| ca_cert = OpenSSL::X509::Store.new | ||
| ::Conjur::CertUtils.add_chained_cert(ca_cert, <VARIABLE_VALUE>) |
|
|
||
| 1. Use additional CA certificates during keys fetching in both `jwks-uri` and `provider-uri` | ||
| use cases | ||
| <details><div> |
|
|
||
| 1. Use additional CA certificates during keys fetching in both `jwks-uri` and `provider-uri` | ||
| use cases | ||
| <details><div> |
|
|
||
| 1. Refactor cache layer related to `FetchProviderUriSigningKey` and `FetchJwksUriSigningKey` | ||
| classes | ||
| <details><div> |
|
|
||
| 1. Refactor cache layer related to `FetchProviderUriSigningKey` and `FetchJwksUriSigningKey` | ||
| classes | ||
| <details><div> |
|
|
||
| 1. Create new `FetchStaticSigningKey` class parses the `public-keys` variable value | ||
| and returns a valid JWKS structure | ||
| <details><div> |
| public-keys configuration, and non-functional - decoupling variables from main BL | ||
| requirements. | ||
|
|
||
| 1. <a name="s1"></a>Create abstraction layer for relevant Conjur variables from |
|
|
||
| </div></details> | ||
|
|
||
| 1. <a name="s2"></a>Add new properties to `SigningKeySettings` class |
| Fallback scenario: to support `ca-cert` variable only for `jwks-uri` variable. | ||
| </div></details> | ||
|
|
||
| 1. <a name="s4"></a>Refactor cache layer related to `FetchProviderUriSigningKey` |
|  | ||
| </div></details> | ||
|
|
||
| 1. <a name="s5"></a>Create new `FetchStaticSigningKey` class parses the `public-keys` |
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
5d77a25 to
959b682
Compare
|
|
||
| | **Error message** | **Description** | | ||
| |-------------------|-----------------| | ||
| | Signing key configuration is invalid: only one of `jwks-uri`, `provider-uri`, `public-keys` variables can be define simultaneously | When more than one variable is defined | |
| | **Error message** | **Description** | | ||
| |-------------------|-----------------| | ||
| | Signing key configuration is invalid: only one of `jwks-uri`, `provider-uri`, `public-keys` variables can be define simultaneously | When more than one variable is defined | | ||
| | Signing key configuration is invalid: `ca-cert` variable can be defined only with `jwks-uri` variables | When `ca-cert` variable defined with `provider-uri` or `public-keys` variables | |
| |-------------------|-----------------| | ||
| | Signing key configuration is invalid: only one of `jwks-uri`, `provider-uri`, `public-keys` variables can be define simultaneously | When more than one variable is defined | | ||
| | Signing key configuration is invalid: `ca-cert` variable can be defined only with `jwks-uri` variables | When `ca-cert` variable defined with `provider-uri` or `public-keys` variables | | ||
| | Signing key configuration is invalid: missing `issuer` variable | When `public-keys` variable is defined but `issuer` is not | |
| | Signing key configuration is invalid: only one of `jwks-uri`, `provider-uri`, `public-keys` variables can be define simultaneously | When more than one variable is defined | | ||
| | Signing key configuration is invalid: `ca-cert` variable can be defined only with `jwks-uri` variables | When `ca-cert` variable defined with `provider-uri` or `public-keys` variables | | ||
| | Signing key configuration is invalid: missing `issuer` variable | When `public-keys` variable is defined but `issuer` is not | | ||
| | Signing key configuration is invalid: {variable-name} variable is defined but empty | When variables permutation is valid but one of it is empty | |
|
|
||
| </div></details> | ||
|
|
||
| 1. <a name="s3"></a>Use additional CA certificates during keys fetching in `jwks-uri` |
Create table of contents for authn-jwt related designs
sashaCher
dismissed stale reviews from benoaviram and tzheleznyak
via
13ea316
sashaCher
force-pushed
the
authn-jwk-configuration-design
branch
from
959b682 to
13ea316
Compare
| |[Enforced claims and claim aliases](token_schema.md)|July 18, 2021| | ||
| |[`aud` claim support](aud_claim_support.md)|July 29, 2021| | ||
| |[Complex token support](complex_token.md)|October 27, 2021| | ||
| |[Enhance signing key delivery mechanisms](authn-jwt-fetch-more-keys.md)|December 27, 2021| |
| | Signing key configuration is invalid: `public-keys` `value` field is missing or empty | When value field absent or has empty value | | ||
| </div></details> | ||
|
|
||
| 1. <a name="s6"></a>Strict JWKS structure input validation |
| </div></details> | ||
|
|
||
| 1. <a name="s6"></a>Strict JWKS structure input validation | ||
| <details><div> |
| </div></details> | ||
|
|
||
| 1. <a name="s6"></a>Strict JWKS structure input validation | ||
| <details><div> |
| * `value` - the value of JWKS as is it's returned from unreachable jwks/provider-uri | ||
| endpoint. | ||
| <details><summary>JSON example</summary> | ||
| For example (based on https://www.googleapis.com/oauth2/v3/certs): |
|
Code Climate has analyzed commit 13ea316 and detected 48 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 91.0% (0.0% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this does PR do?
Introduces design for two new configuration variables of JWT authenticator.
Connected Issue/Story
ONYX-14324
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
READMEs) were updated in this PRBehavior
Security