Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial Remote Vetting cleanup #220

Merged
merged 8 commits into from
Feb 26, 2021
Merged

Initial Remote Vetting cleanup #220

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
468d6f4
Remove double escaping from match logging
pablothedude Feb 22, 2021
512eef1
Remove RV SP configuration and make it static
pablothedude Feb 22, 2021
ef7a1a1
Fix double escaping of RemoteVettingProcessDto
pablothedude Feb 23, 2021
3aae359
Use mock IdP for testing
pablothedude Feb 23, 2021
04cd408
Cleanup configuration and separate dev test and prod config
pablothedude Feb 23, 2021
4b0fbd0
Add assertions in the SessionStorage tests
pablothedude Feb 23, 2021
31ec0aa
Use a dedicated encryption keypair for tests
pablothedude Feb 23, 2021
c49e1c1
Add ApplicationHelper to RemoteVettingService integration test
pablothedude Feb 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
"prefer-stable": true,
"require": {
"php": "~7.2",
"ext-json": "*",
"guzzlehttp/guzzle": "^6",
"incenteev/composer-parameter-handler": "~2.0",
"jms/translation-bundle": "^1.3.0",
Expand Down
5 changes: 3 additions & 2 deletions composer.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

31 changes: 19 additions & 12 deletions config/legacy/parameters.yaml.dist
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ parameters:

# remote vetting

remote_vetting_entity_id: https://selfservice.stepup.example.com/rv/metadata

Comment on lines +65 to +66
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I lack context, but isn't the RV configuration not still configurable? Albeit it became less pronounced, but you can still configure the entitiy id in parameters.yml.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the entityid and keys, but not the endpoint anymore, that seemed to be confusing because of the multiple acs endpoints that exist.

# For each remote vetting IdP we require some parameters.
remote_vetting_idps:
# The display name
Expand All @@ -82,7 +84,6 @@ parameters:
ssoUrl: https://selfservice.stepup.example.com/second-factor/mock/sso
# Certificates for the remote vetting IdP
certificateFile: "%saml_rv_publickey%"
privateKey: "%saml_rv_privatekey%"
# The attribute mapping should map the institute IdP attributes with the ones received from the remote vetting
# IdP.
attributeMapping:
Expand All @@ -97,7 +98,6 @@ parameters:
entityId: https://selfservice.stepup.example.com/mock/metadata
ssoUrl: https://selfservice.stepup.example.com/second-factor/mock/sso
certificateFile: "%saml_rv_publickey%"
privateKey: "%saml_rv_privatekey%"
attributeMapping:
givenName: firstName
surname: lastName
Expand All @@ -110,16 +110,21 @@ parameters:
entityId: https://selfservice.stepup.example.com/mock/metadata
ssoUrl: https://selfservice.stepup.example.com/second-factor/mock/sso
certificateFile: '%saml_rv_publickey%'
privateKey: '%saml_rv_privatekey%'
attributeMapping:
givenName: firstName
surname: lastName
# SelfService acts as the remote vetting SP, this metadata is used by the remote vetting IdP's to post their SAML
# responses to
remote_vetting_sp:
entityId: https://selfservice.stepup.example.com/saml/metadata
assertionConsumerUrl: https://selfservice.stepup.example.com/second-factor/acs
privateKey: '%saml_rv_privatekey%'
- slug: mock
name: 'Mock IDP'
logo: /images/remote-vetting/mock.png
description:
nl_NL: 'This is an integration test IdP.'
en_GB: 'This is an integration test IdP.'
entityId: 'https://selfservice.stepup.example.com/mock/metadata'
ssoUrl: 'https://selfservice.stepup.example.com/second-factor/mock/sso'
certificateFile: '%saml_rv_publickey%'
attributeMapping:
givenName: firstName
surname: lastName

identity_encryption_configuration:
# The public key used to encrypt the remote vetting user data. The private key matching this is used to decrypt,
Expand Down Expand Up @@ -147,6 +152,8 @@ parameters:
# The location on disk where the encrypted remote vetting user data is stored
storage_location: '%kernel.project_dir%/var/rv'

# For test, we use a mock remote vetting IdP, these certificates are used for that.
saml_rv_publickey: /src/Stepup-SelfService/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.crt
saml_rv_privatekey: /src/Stepup-SelfService/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.key

# Saml Remote Vetting SP public key
saml_rv_publickey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.crt'
# Saml Remote Vetting Mock IdP private key (used for development and testing, this value should be omitted in production)
saml_rv_privatekey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.key'
142 changes: 46 additions & 96 deletions config/legacy/samlstepupproviders.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,56 +7,6 @@ surfnet_stepup_self_service_saml_stepup_provider:
metadata: ss_registration_gssf_saml_metadata

providers:
tiqr:
hosted:
service_provider:
public_key: "%gssp_tiqr_sp_publickey%"
private_key: "%gssp_tiqr_sp_privatekey%"
metadata:
public_key: "%gssp_tiqr_metadata_publickey%"
private_key: "%gssp_tiqr_metadata_privatekey%"
remote:
entity_id: "%gssp_tiqr_remote_entity_id%"
sso_url: "%gssp_tiqr_remote_sso_url%"
certificate: "%gssp_tiqr_remote_certificate%"
view_config:
loa: "%gssp_tiqr_loa%"
logo: "%gssp_tiqr_logo%"
alt: "%gssp_tiqr_alt%"
title: "%gssp_tiqr_title%"
description: "%gssp_tiqr_description%"
button_use: "%gssp_tiqr_button_use%"
initiate_title: "%gssp_tiqr_initiate_title%"
initiate_button: "%gssp_tiqr_initiate_button%"
explanation: "%gssp_tiqr_explanation%"
authn_failed: "%gssp_tiqr_authn_failed%"
pop_failed: "%gssp_tiqr_pop_failed%"
app_android_url: "%gssp_tiqr_app_android_url%"
app_ios_url: "%gssp_tiqr_app_ios_url%"
biometric:
hosted:
service_provider:
public_key: "%gssp_biometric_sp_publickey%"
private_key: "%gssp_biometric_sp_privatekey%"
metadata:
public_key: "%gssp_biometric_metadata_publickey%"
private_key: "%gssp_biometric_metadata_privatekey%"
remote:
entity_id: "%gssp_biometric_remote_entity_id%"
sso_url: "%gssp_biometric_remote_sso_url%"
certificate: "%gssp_biometric_remote_certificate%"
view_config:
loa: "%gssp_biometric_loa%"
logo: "%gssp_biometric_logo%"
alt: "%gssp_biometric_alt%"
title: "%gssp_biometric_title%"
description: "%gssp_biometric_description%"
button_use: "%gssp_biometric_button_use%"
initiate_title: "%gssp_biometric_initiate_title%"
initiate_button: "%gssp_biometric_initiate_button%"
explanation: "%gssp_biometric_explanation%"
authn_failed: "%gssp_biometric_authn_failed%"
pop_failed: "%gssp_biometric_pop_failed%"
webauthn:
hosted:
service_provider:
Expand All @@ -83,32 +33,58 @@ surfnet_stepup_self_service_saml_stepup_provider:
pop_failed: "%gssp_webauthn_pop_failed%"
app_android_url: "%gssp_webauthn_app_android_url%"
app_ios_url: "%gssp_webauthn_app_ios_url%"
azuremfa:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might lead to issues when building the dev environment. The application provisioning first composer-installs with scripts using the VCS provided parameters. It then dumps the StepupDeploy specific parameters. And again composer installs them. IIRC the first run requires the azuremfa gssp to be in config. I do not have time to re-provision my SelfService at this moment. But maybe this warning rings a bell with you? It might well be, I'm mistaken here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to change the config in order to get my dedicated RV Stepup-VM up and running with the config in the remote-vetting branch in Deploy. Not all GSSP's were and will be configured for RV so this was done to just reflect that config. This indeed should be addressed to reflect develop in Deploy but I think this should be addressed just before (and only if) RV lands back in develop. But because that could happen in a while and a lot of Deploy's config could have been changed in the meantime I'll prefer to keep this config in sync with the RV branch in Deploy.

demo_gssp_2:
hosted:
service_provider:
public_key: "%gssp_azuremfa_sp_publickey%"
private_key: "%gssp_azuremfa_sp_privatekey%"
public_key: "%gssp_demo_gssp_2_sp_publickey%"
private_key: "%gssp_demo_gssp_2_sp_privatekey%"
metadata:
public_key: "%gssp_azuremfa_metadata_publickey%"
private_key: "%gssp_azuremfa_metadata_privatekey%"
public_key: "%gssp_demo_gssp_2_metadata_publickey%"
private_key: "%gssp_demo_gssp_2_metadata_privatekey%"
remote:
entity_id: "%gssp_azuremfa_remote_entity_id%"
sso_url: "%gssp_azuremfa_remote_sso_url%"
certificate: "%gssp_azuremfa_remote_certificate%"
entity_id: "%gssp_demo_gssp_2_remote_entity_id%"
sso_url: "%gssp_demo_gssp_2_remote_sso_url%"
certificate: "%gssp_demo_gssp_2_remote_certificate%"
view_config:
loa: 3
logo: "%gssp_demo_gssp_2_logo%"
alt: "%gssp_demo_gssp_2_alt%"
title: "%gssp_demo_gssp_2_title%"
description: "%gssp_demo_gssp_2_description%"
button_use: "%gssp_demo_gssp_2_button_use%"
initiate_title: "%gssp_demo_gssp_2_initiate_title%"
initiate_button: "%gssp_demo_gssp_2_initiate_button%"
explanation: "%gssp_demo_gssp_2_explanation%"
authn_failed: "%gssp_demo_gssp_2_authn_failed%"
pop_failed: "%gssp_demo_gssp_2_pop_failed%"
app_android_url: "%gssp_demo_gssp_2_app_android_url%"
app_ios_url: "%gssp_demo_gssp_2_app_ios_url%"
tiqr:
hosted:
service_provider:
public_key: "%gssp_tiqr_sp_publickey%"
private_key: "%gssp_tiqr_sp_privatekey%"
metadata:
public_key: "%gssp_tiqr_metadata_publickey%"
private_key: "%gssp_tiqr_metadata_privatekey%"
remote:
entity_id: "%gssp_tiqr_remote_entity_id%"
sso_url: "%gssp_tiqr_remote_sso_url%"
certificate: "%gssp_tiqr_remote_certificate%"
view_config:
loa: 2
logo: "%gssp_azuremfa_logo%"
alt: "%gssp_azuremfa_alt%"
title: "%gssp_azuremfa_title%"
description: "%gssp_azuremfa_description%"
button_use: "%gssp_azuremfa_button_use%"
initiate_title: "%gssp_azuremfa_initiate_title%"
initiate_button: "%gssp_azuremfa_initiate_button%"
explanation: "%gssp_azuremfa_explanation%"
authn_failed: "%gssp_azuremfa_authn_failed%"
pop_failed: "%gssp_azuremfa_pop_failed%"
app_android_url: "%gssp_azuremfa_app_android_url%"
app_ios_url: "%gssp_azuremfa_app_ios_url%"
logo: "%gssp_tiqr_logo%"
alt: "%gssp_tiqr_alt%"
title: "%gssp_tiqr_title%"
description: "%gssp_tiqr_description%"
button_use: "%gssp_tiqr_button_use%"
initiate_title: "%gssp_tiqr_initiate_title%"
initiate_button: "%gssp_tiqr_initiate_button%"
explanation: "%gssp_tiqr_explanation%"
authn_failed: "%gssp_tiqr_authn_failed%"
pop_failed: "%gssp_tiqr_pop_failed%"
app_android_url: "%gssp_tiqr_app_android_url%"
app_ios_url: "%gssp_tiqr_app_ios_url%"
demo_gssp:
hosted:
service_provider:
Expand All @@ -135,29 +111,3 @@ surfnet_stepup_self_service_saml_stepup_provider:
pop_failed: "%gssp_demo_gssp_pop_failed%"
app_android_url: "%gssp_demo_gssp_app_android_url%"
app_ios_url: "%gssp_demo_gssp_app_ios_url%"
demo_gssp_2:
hosted:
service_provider:
public_key: "%gssp_demo_gssp_2_sp_publickey%"
private_key: "%gssp_demo_gssp_2_sp_privatekey%"
metadata:
public_key: "%gssp_demo_gssp_2_metadata_publickey%"
private_key: "%gssp_demo_gssp_2_metadata_privatekey%"
remote:
entity_id: "%gssp_demo_gssp_2_remote_entity_id%"
sso_url: "%gssp_demo_gssp_2_remote_sso_url%"
certificate: "%gssp_demo_gssp_2_remote_certificate%"
view_config:
loa: 3
logo: "%gssp_demo_gssp_2_logo%"
alt: "%gssp_demo_gssp_2_alt%"
title: "%gssp_demo_gssp_2_title%"
description: "%gssp_demo_gssp_2_description%"
button_use: "%gssp_demo_gssp_2_button_use%"
initiate_title: "%gssp_demo_gssp_2_initiate_title%"
initiate_button: "%gssp_demo_gssp_2_initiate_button%"
explanation: "%gssp_demo_gssp_2_explanation%"
authn_failed: "%gssp_demo_gssp_2_authn_failed%"
pop_failed: "%gssp_demo_gssp_2_pop_failed%"
app_android_url: "%gssp_demo_gssp_2_app_android_url%"
app_ios_url: "%gssp_demo_gssp_2_app_ios_url%"
28 changes: 28 additions & 0 deletions config/services_dev.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Use this service definition file to override services and parameters in the dev environment.
# For example to mock certain services, or override a password for test.
services:
# A remote vetting mock IdP is used in order to mock the attributes released from a remote RV (Remote Vetting) IdP.
# This IdP is utilized as a drop in replacement to test the attribute matching between a remote IdP to vet with and the local
# OpenConext IdP.
Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Configuration\RemoteVettingConfiguration:
arguments:
$privateKey: '%saml_rv_privatekey%'
$configurationSettings: '%identity_encryption_configuration%'
$remoteVettingIdpConfig: '%remote_vetting_idps%'

Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration:
arguments:
$identityProviderEntityId: 'https://selfservice.stepup.example.com/mock/idp/metadata'
$serviceProviderEntityId: 'https://selfservice.stepup.example.com/rv/metadata'
$privateKeyPath: '%saml_rv_privatekey%'
$publicCertPath: '%saml_rv_publickey%'

Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockRemoteVetController:
public: true
arguments:
- '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway'
- '@twig'

Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway:
arguments:
- '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration'
32 changes: 24 additions & 8 deletions config/services_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,6 @@
parameters:
middleware_credentials_password: secret

saml_rv_publickey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.crt'
saml_rv_privatekey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.key'


services:
surfnet_stepup_self_service_self_service.service.sms_second_factor:
class: Surfnet\StepupSelfService\SelfServiceBundle\Tests\TestDouble\Service\SmsSecondFactorService
Expand Down Expand Up @@ -35,8 +31,28 @@ services:
- "%middleware_url_command_api%"


Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Encryption\IdentityEncrypter:
class: \Surfnet\StepupSelfService\SelfServiceBundle\Tests\Service\RemoteVetting\Encryption\FakeIdentityEncrypter
# A remote vetting mock IdP is used in order to mock the attributes released from a remote RV (Remote Vetting) IdP.
# This IdP is utilized as a drop in replacement to test the attribute matching between a remote IdP to vet with and the local
# OpenConext IdP.
Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Configuration\RemoteVettingConfiguration:
arguments:
$privateKey: '%saml_rv_privatekey%'
$configurationSettings: '%identity_encryption_configuration%'
$remoteVettingIdpConfig: '%remote_vetting_idps%'

Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration:
arguments:
$identityProviderEntityId: 'https://selfservice.stepup.example.com/mock/idp/metadata'
$serviceProviderEntityId: 'https://selfservice.stepup.example.com/rv/metadata'
$privateKeyPath: '%saml_rv_privatekey%'
$publicCertPath: '%saml_rv_publickey%'

Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockRemoteVetController:
public: true
arguments:
- '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway'
- '@twig'

Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway:
arguments:
$configuration: '@Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Configuration\RemoteVettingConfiguration'
$writer: '@Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Encryption\IdentityFilesystemWriter'
- '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration'
Loading