Security Audit of Noggin Code Complete

[amoloney1]

The code for Noggin needs to be audited for potential security risks and passed before deployment to staging.

• Add security headers [secaudit-blocking] Missing security headers #333
  • Add justification lines to [secaudit-blocking] Missing justification for nosec lines #335
  • Review default config [secaudit-blocking] Default configuration insecure defaults #334
    Move installation docs from gdoc to readthedocs

Acceptance Criteria:

• The code is audited by a security personnel from Fedora
• Any security issues with the code are found, reported to the Noggin team using a Security Audit label and then are fixed
• The code passes all security reviews and signed off on

Definition of Done:

• Code passes security checks
• Installation Docs available
• Security headers updates
• Config notes reviewed

@puiterwijk Can you please action this request? Thank you kindly!

[puiterwijk]

I will try to schedule this soon, is there any deadline when this is wanted?
Additionally, how much flux can/should I still expect of the code, since a security audit is mostly useful after at least the security-sensitive code has stabilized somewhat.

[abompard]

The only big change in the code that is incoming is us using the non-legacy API of python_freeipa. That's going to change a lot of lines in a lot of files but it should end up in the exact same operations with FreeIPA, so I don't think it'll change much from a security point of view.
Apart from that, the code should be mostly done.

[amoloney1]

Hi @puiterwijk would you have an estimate date on when you will be able to complete the security audit please? The team are hoping to deploy Noggin in Staging by Aug 10th so if we could get the code reviewed before then, time willing of course, that would be great!
And thanks @abompard for adding more information to this ticket also! :)

[puiterwijk]

For reference, the commit hashes currently under audit:

• noggin: 0e3be29de02a1ba7aaf247493c5adf7d08e5f64b
• freeipa-fas: b0fc093b73c76bf100151a1a7d86d6171bfe7006
• fasjson: bb4a12ee9d949c40e69849dd4f38394c365f6dbb

[puiterwijk]

According to the Fedora Infrastructure Application Security Policy, any deviations from the policy must be pointed out in the request for the security audit.
I cannot find any notes in this ticket to that extend, so I'm now adding that here:

The violated sections of the Application Security Policy and their justifications:

• Authentication: noggin requires a token for direct access to IPA, and this is not possible with OpenID Connect. Additionally, there is no API in noggin.
• Authorization: noggin doesn't use OpenID Connect per the previous justification

These justifications have been accepted as part of the security audit, so these sections will not apply to noggin for the purpose of this audit.