Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VI-252] MAP STS token validation #19907

Merged
merged 13 commits into from
Jan 7, 2025
Merged

[VI-252] MAP STS token validation #19907

merged 13 commits into from
Jan 7, 2025

Conversation

bramleyjl
Copy link
Contributor

@bramleyjl bramleyjl commented Dec 13, 2024
edited
Loading

Summary

  • Updates the MAP token request logic to include validation of the returned token.
  • The MAP public jwks are requested and stored through the SIS PublicJwks & cached in Redis for 30 minutes, Redis key is map_public_jwks.
  • Tokens that fail validation will cause a JWT:DecodeError that is logged and re-raised at the MAP service level and returns a 502 bad gateway error at the MAP controller level.
  • The mocked JWKs used are VA.gov-created and used to sign the mocked MAP token response in order to have the token bypass expiry validation - the mocked MAP token is set to expire in 2036.

Related issue(s)

Testing done

  • New code is covered by unit tests
  • Make sure your vets-api-mockdata is active and is on the latest of master to include the mockdata changes linked above.
  • Make a MAP token request
    • the request should be successful & return a JSON body with an access_token
    • you should see the following log immediately after the MAP token request log: [MAP][SecurityToken][Service] Get Public JWKs Success
  • Update the access_token in the body of the mockdata file at vets-api-mockdata/map/secure_token_service/token.yml to change the token response (your vets-api instance should now be maintaining the JWK if you don't restart it) & make the MAP token request again
    • The request should fail with a 502 bad gateway error
    • you should see [MAP][SecurityToken][Service] token failed, JWT decode error -- { :application => :chatbot, :icn => <icn>, :context => "Signature verification failed" } in your Rails logs

What areas of the site does it impact?

MAP STS token requests

Acceptance criteria

  • I fixed|updated|added unit tests and integration tests for each feature (if applicable).
  • No error nor warning in the console.
  • Events are being sent to the appropriate logging solution
  • Documentation has been updated (link to documentation)
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
  • Feature/bug has a monitor built into Datadog
  • If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected

@bramleyjl bramleyjl mentioned this pull request Dec 13, 2024
Closed
9 tasks
@bramleyjl bramleyjl marked this pull request as ready for review December 17, 2024 19:20
@bramleyjl bramleyjl requested review from a team as code owners December 17, 2024 19:20
@bramleyjl bramleyjl marked this pull request as draft December 17, 2024 19:24
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main December 17, 2024 19:40 Inactive
@bramleyjl bramleyjl force-pushed the VI-252_map_sts_validation branch from 8072f78 to b51b540 Compare December 17, 2024 22:55
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main December 17, 2024 23:02 Inactive
@bramleyjl bramleyjl force-pushed the VI-252_map_sts_validation branch from b51b540 to 6544910 Compare December 18, 2024 16:58
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main December 18, 2024 17:06 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main December 18, 2024 17:48 Inactive
@bramleyjl bramleyjl force-pushed the VI-252_map_sts_validation branch from 173d25b to a0260af Compare December 18, 2024 22:54
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main December 18, 2024 23:03 Inactive
@bramleyjl bramleyjl marked this pull request as ready for review December 18, 2024 23:04
@bramleyjl bramleyjl requested review from a team as code owners December 18, 2024 23:04
@bramleyjl bramleyjl requested a review from bosawt December 18, 2024 23:04
ryan-mcneil
ryan-mcneil previously approved these changes Dec 19, 2024
View reviewed changes
randomsync
randomsync previously approved these changes Dec 19, 2024
View reviewed changes
@bramleyjl bramleyjl dismissed stale reviews from randomsync, ryan-mcneil, and emilykim13 via fb728f3 January 3, 2025 20:38
@bramleyjl bramleyjl force-pushed the VI-252_map_sts_validation branch from dea2155 to fb728f3 Compare January 3, 2025 20:38
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main January 3, 2025 20:43 Inactive
@bramleyjl bramleyjl force-pushed the VI-252_map_sts_validation branch from 762441d to 1eb98b8 Compare January 3, 2025 20:56
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main January 3, 2025 21:02 Inactive
@bramleyjl bramleyjl requested a review from bosawt January 3, 2025 21:13
@va-vfs-bot va-vfs-bot temporarily deployed to VI-252_map_sts_validation/main/main January 6, 2025 19:26 Inactive
@platform-support-slack-integration platform-support-slack-integration bot mentioned this pull request Jan 6, 2025
Closed
bosawt
bosawt approved these changes Jan 6, 2025
View reviewed changes
Copy link
Contributor

@bosawt bosawt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed staging and production routes are reachable

@bramleyjl bramleyjl merged commit 3159120 into master Jan 7, 2025
22 of 23 checks passed
@bramleyjl bramleyjl deleted the VI-252_map_sts_validation branch January 7, 2025 14:06
bosawt added a commit that referenced this pull request Jan 7, 2025
@bosawt
Revert "[VI-252] MAP STS token validation (#19907)"
205e0ea 
This reverts commit 3159120.
@bosawt bosawt mentioned this pull request Jan 7, 2025
Merged
@platform-support-slack-integration platform-support-slack-integration bot mentioned this pull request Jan 7, 2025
Closed
@joeniquette joeniquette mentioned this pull request Jan 7, 2025
Open
10 tasks
bosawt added a commit that referenced this pull request Jan 7, 2025
@bosawt
Revert "[VI-252] MAP STS token validation (#19907)" (#20130)
ec8e3e4 
This reverts commit 3159120.
@bramleyjl bramleyjl mentioned this pull request Jan 13, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bosawt bosawt bosawt approved these changes

@LindseySaari LindseySaari LindseySaari approved these changes

@emilykim13 emilykim13 emilykim13 left review comments

@ryan-mcneil ryan-mcneil ryan-mcneil left review comments

@randomsync randomsync randomsync left review comments

Assignees
No one assigned
Labels
require-backend-approval test-passing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@bramleyjl @randomsync @LindseySaari @ryan-mcneil @bosawt @emilykim13 @va-vfs-bot