Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[VI-252] MAP STS token validation #19907

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

[VI-252] MAP STS token validation #19907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bc7a24b
adds map sts token duration validation
bramleyjl Nov 26, 2024
fa248c6
updates
bramleyjl Nov 26, 2024
07767fb
updates & unit specs
bramleyjl Dec 2, 2024
6f246bf
initial MAP JWT signature validation
bramleyjl Dec 11, 2024
c2afa83
map jwks call
bramleyjl Dec 13, 2024
082452d
updates map response to a VA.gov-owned keypair
bramleyjl Dec 17, 2024
b51b540
spec & mock updates
bramleyjl Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/controllers/v0/map_services_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ def token
result = MAP::SecurityToken::Service.new.token(application: params[:application].to_sym, icn:, cache: false)

render json: result, status: :ok
rescue Common::Client::Errors::ClientError, Common::Exceptions::GatewayTimeout
rescue Common::Client::Errors::ClientError, Common::Exceptions::GatewayTimeout, JWT::DecodeError
render json: sts_client_error, status: :bad_gateway
rescue MAP::SecurityToken::Errors::ApplicationMismatchError
render json: application_mismatch_error, status: :bad_request
Expand Down
3 changes: 3 additions & 0 deletions config/betamocks/services_config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -896,6 +896,9 @@
- :method: :post
:path: "/sts/oauth/v1/token"
:file_path: "map/secure_token_service/token"
- :method: :get
:path: "/sts/oauth/v1/jwks"
:file_path: "map/secure_token_service/jwks"

# Sign Up Service Terms API
- :name: "MAP SUS"
Expand Down
14 changes: 14 additions & 0 deletions lib/map/security_token/configuration.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ def client_cert_path
Settings.map_services.client_cert_path
end

def provider_jwks_path
'/sts/oauth/v1/jwks'
end

def service_name
'map_security_token_service'
end
Expand Down Expand Up @@ -78,6 +82,16 @@ def client_assertion_certificate
OpenSSL::X509::Certificate.new(File.read(client_cert_path))
end

def provider_certificate
@provider_certificate ||= build_provider_certificate
end

def build_provider_certificate
response = connection.get(provider_jwks_path)
jwk = response.body['keys'].first
JWT::JWK.import(jwk).keypair.public_key
end

def connection
@connection ||= Faraday.new(
base_path,
Expand Down
12 changes: 12 additions & 0 deletions lib/map/security_token/service.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ def token(application:, icn:, cache: true)
Rails.logger.error("#{config.logging_prefix} token failed, parsing error", application:, icn:,
context: e.message)
raise e
rescue JWT::DecodeError => e
Rails.logger.error("#{config.logging_prefix} token failed, JWT decode error", application:, icn:,
context: e.message)
raise e
rescue Common::Client::Errors::ClientError => e
parse_and_raise_error(e, icn, application)
rescue Common::Exceptions::GatewayTimeout => e
Expand Down Expand Up @@ -57,17 +61,25 @@ def parse_and_raise_error(e, icn, application)

def parse_response(response, application, icn)
response_body = response.body
validate_map_token(response_body['access_token'])

{
access_token: response_body['access_token'],
expiration: Time.zone.now + response_body['expires_in']
}
rescue JWT::DecodeError => e
raise e
rescue => e
message = "#{config.logging_prefix} token failed, response unknown"
Rails.logger.error(message, application:, icn:)
raise e, "#{message}, application: #{application}, icn: #{icn}"
end

def validate_map_token(encoded_token)
public_cert = config.provider_certificate
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're going to want to cache this call, here is an example how we do it for id.me and login.gov public certs: lib/sign_in/public_jwks.rb.

JWT.decode(encoded_token, public_cert, true, algorithm: 'RS512')
end

def client_id_from_application(application)
case application
when :chatbot
Expand Down
18 changes: 9 additions & 9 deletions spec/lib/map/security_token/service_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,16 +127,16 @@
end
end

context 'when response is malformed',
vcr: { cassette_name: 'map/security_token_service_200_malformed_response' } do
let(:expected_error) { Common::Client::Errors::ParsingError }
let(:expected_error_message) { "unexpected token at 'Not valid JSON'" }
let(:expected_logger_message) { "#{log_prefix} token failed, parsing error" }
let(:expected_log_values) { { application:, icn:, context: expected_error_message } }

it 'raises an gateway timeout error and creates a log' do
context 'when response is an invalid token',
vcr: { cassette_name: 'map/security_token_service_200_invalid_token' } do
let(:expected_error) { JWT::DecodeError }
let(:expected_error_context) { 'Signature verification failed' }
let(:expected_logger_message) { "#{log_prefix} token failed, JWT decode error" }
let(:expected_log_values) { { application:, icn:, context: expected_error_context } }

it 'raises a JWT Decode error and creates a log' do
expect(Rails.logger).to receive(:error).with(expected_logger_message, expected_log_values)
expect { subject }.to raise_exception(expected_error, expected_error_message)
expect { subject }.to raise_exception(expected_error, expected_error_context)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/lib/map/sign_up/service_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@
let(:expected_log_message) { "#{log_prefix} agreements accept success, icn: #{icn}" }

before do
Timecop.freeze(Time.zone.local(2023, 1, 1, 12, 0, 0))
Timecop.freeze(Time.zone.local(2024, 9, 1, 12, 0, 0))
allow(Rails.logger).to receive(:info)
end

Expand Down
20 changes: 19 additions & 1 deletion spec/requests/v0/map_services_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,25 @@
end
end

context 'when MAP STS client returns an access token',
context 'when MAP STS client returns an invalid token',
vcr: { cassette_name: 'map/security_token_service_200_invalid_token' } do
it 'responds with error details in response body' do
call_endpoint
expect(JSON.parse(response.body)).to eq(
{
'error' => 'server_error',
'error_description' => 'STS failed to return a valid token.'
}
)
end

it 'returns HTTP status bad_gateway' do
call_endpoint
expect(response).to have_http_status(:bad_gateway)
end
end

context 'when MAP STS client returns a valid access token',
vcr: { cassette_name: 'map/security_token_service_200_response' } do
it 'responds with STS-issued token in response body' do
call_endpoint
Expand Down
141 changes: 141 additions & 0 deletions spec/support/vcr_cassettes/map/security_token_service_200_invalid_token.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

72 changes: 0 additions & 72 deletions spec/support/vcr_cassettes/map/security_token_service_200_malformed_response.yml
View file
Open in desktop

This file was deleted.

Loading
Loading