Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[78699] SiS validate /authenticate csp type & acr #16241

Merged
merged 17 commits into from
Apr 18, 2024
Merged

[78699] SiS validate /authenticate csp type & acr #16241

merged 17 commits into from
Apr 18, 2024

Conversation

bramleyjl
Copy link
Contributor

@bramleyjl bramleyjl commented Apr 8, 2024
edited
Loading

Summary

  • Adds validation of requested csp type & acr during SiS /authorize against saved ClientConfig service_levels and credential_service_providers attributes.
  • Clients default to accepting all credential_service_providers (idme, logingov, mhv, dslogon) & service_levels (ial1, ial2, loa1, loa3, min).
  • Failed validation results in MalformedParamsError with "Type|ACR is not valid".
  • Existing type & acr validation against saved SiS constants is now redundant and has been removed; ClientConfig service_levels and credential_service_providers attributes are already validated against the same constants.

Related issue(s)

Testing done

  • New code is covered by unit tests
  • To test, modify the service_levels or credential_service_providers values of your chosen ClientConfig to remove the CSP type or ACR you wish to test with
client_config = SignIn::ClientConfig.find_by(client_id: 'vaweb')
client_config.credential_service_providers = ['logingov']
client_config.service_levels = ['ial2']
client_config.save!
  • Attempt a SiS login with the prohibited values
# Bad CSP
localhost:3000/v0/sign_in/authorize?type=idme&acr=loa1...

# Bad ACR
localhost:3000/v0/sign_in/authorize?type=logingov&acr=ial1...
  • Your /authorize call should fail with the following errors
# Bad CSP
[SignInService] [V0::SignInController] authorize error -- { :errors => "Type is not valid", :client_id => "vaweb", :type => "idme", :acr => "loa1" }

# Bad ACR
[SignInService] [V0::SignInController] authorize error -- { :errors => "ACR is not valid", :client_id => "vaweb", :type => "logingov", :acr => "ial1" }

What areas of the site does it impact?

SiS authentication.

Acceptance criteria

  • I fixed|updated|added unit tests and integration tests for each feature (if applicable).
  • No error nor warning in the console.
  • Events are being sent to the appropriate logging solution
  • Documentation has been updated (link to documentation)
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
  • If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected

@bramleyjl bramleyjl mentioned this pull request Apr 8, 2024
Merged
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 8, 2024 19:19 Inactive
bosawt
bosawt reviewed Apr 8, 2024
View reviewed changes
Copy link
Contributor

@bosawt bosawt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll properly review when the DB PR is complete, but just stating that this looks like the right approach

@bosawt bosawt self-requested a review April 8, 2024 20:39
@bramleyjl bramleyjl force-pushed the 78699_block_csp_acr branch from 0e21fd7 to 8462064 Compare April 9, 2024 17:35
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 9, 2024 17:50 Inactive
@bramleyjl bramleyjl force-pushed the 78699_block_csp_acr branch from 3bd1751 to 24cac69 Compare April 10, 2024 18:51
@bramleyjl bramleyjl marked this pull request as ready for review April 10, 2024 18:55
@bramleyjl bramleyjl requested a review from a team as a code owner April 10, 2024 18:55
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 10, 2024 18:56 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 11, 2024 15:43 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 11, 2024 17:56 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 11, 2024 20:16 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 11, 2024 21:18 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 15, 2024 18:07 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 16, 2024 16:49 Inactive
@bramleyjl bramleyjl enabled auto-merge (squash) April 17, 2024 14:38
@bramleyjl bramleyjl mentioned this pull request Apr 17, 2024
Merged
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 17, 2024 15:05 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 18, 2024 15:13 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 78699_block_csp_acr/main/main April 18, 2024 16:52 Inactive
dickdavis
dickdavis approved these changes Apr 18, 2024
View reviewed changes
Copy link
Contributor

@dickdavis dickdavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bramleyjl bramleyjl merged commit d1a5670 into master Apr 18, 2024
20 checks passed
@bramleyjl bramleyjl deleted the 78699_block_csp_acr branch April 18, 2024 19:18
@RachalCassity
Copy link
Member

RachalCassity commented Apr 19, 2024
edited
Loading

@bramleyjl I am having an issue signing in locally:

2024-04-19 11:58:21.212548 D [40947:puma srv tp 001] ActiveRecord::Base --   
app/controllers/v0/sign_in_controller.rb:374:in `client_config'
NameError: undefined local variable or method `credential_service_providers' for #<SignIn::ClientConfig id: 1, ...
redirect_uri: "http://localhost:3001/auth/login/callback",

@bramleyjl bramleyjl mentioned this pull request Apr 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dickdavis dickdavis dickdavis approved these changes

@bosawt bosawt Awaiting requested review from bosawt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bramleyjl @RachalCassity @dickdavis @bosawt @va-vfs-bot