Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LG-744 Whitelist SP attributes for ability to receive LOA3 data #2672

Merged
merged 13 commits into from
Mar 21, 2019
Merged

LG-744 Whitelist SP attributes for ability to receive LOA3 data #2672

merged 13 commits into from
Mar 21, 2019

Conversation

stevegsa
Copy link
Contributor

@stevegsa stevegsa commented Nov 25, 2018
edited
Loading

Why: Service providers should only receive loa3 data if they have been pre-configured to do so.

How: Only allow SAML and OIDC requests to accept loa3 requests if the sp is configured for ial 2. Update the existing configurations for loa3 sps in service_providers.yml. Add logic to SamlRequestValidator and OpenIdConnectAuthorizeForm.

Hi! Before submitting your PR for review, and/or before merging it, please
go through the checklists below. These represent the more critical elements
of our code quality guidelines. The rest of the list can be found in
CONTRIBUTING.md

Controllers

  • When adding a new controller that requires the user to be fully
    authenticated, make sure to add before_action :confirm_two_factor_authenticated
    as the first callback.

Database

  • Unsafe migrations are implemented over several PRs and over several
    deploys to avoid production errors. The strong_migrations gem
    will warn you about unsafe migrations and has great step-by-step instructions
    for various scenarios.

  • Indexes were added if necessary. This article provides a good overview
    of indexes in Rails.

  • Verified that the changes don't affect other apps (such as the dashboard)

  • When relevant, a rake task is created to populate the necessary DB columns
    in the various environments right before deploying, taking into account the users
    who might not have interacted with this column yet (such as users who have not
    set a password yet)

  • Migrations against existing tables have been tested against a copy of the
    production database. See LG-228 Make migrations safer and more resilient #2127 for an example when a migration caused deployment
    issues. In that case, all the migration did was add a new column and an index to
    the Users table, which might seem innocuous.

Encryption

  • The changes are compatible with data that was encrypted with the old code.

Routes

  • GET requests are not vulnerable to CSRF attacks (i.e. they don't change
    state or result in destructive behavior).

Session

  • When adding user data to the session, use the user_session helper
    instead of the session helper so the data does not persist beyond the user's
    session.

Testing

  • Tests added for this feature/bug
  • Prefer feature/integration specs over controller specs
  • When adding code that reads data, write tests for nil values, empty strings,
    and invalid inputs.

@jmhooper
Copy link
Member

What's the advantage of using the attribute bundle instead of the SP's ial? It seems like there's a lot more overhead involved with keeping up with the attributes for each SP rather than whether an SP is allowed to request IAL 1 or IAL 2 attributes.

@stevegsa stevegsa force-pushed the stevegsa-whitelist-loa3-sps branch from 6d5404e to 320839e Compare December 3, 2018 02:17
jmhooper
jmhooper previously approved these changes Dec 3, 2018
View reviewed changes
Copy link
Member

@jmhooper jmhooper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like how this came out 💯

jgsmith-usds
jgsmith-usds reviewed Dec 3, 2018
View reviewed changes
Copy link
Contributor

@jgsmith-usds jgsmith-usds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This restricts one part of the process, but if the IAL level changes, do we restrict the identity.scopes properly? I'm thinking in particular of what we do in OpenidConnectUserInfoPresenter. It looks like we assume identity.scopes is proper, which might not be completely true if we've changed the IAL level for an SP to be more restrictive.

spec/forms/openid_connect_authorize_form_spec.rb Outdated Show resolved Hide resolved
app/forms/openid_connect_authorize_form.rb Show resolved Hide resolved
@brodygov
Copy link
Contributor

brodygov commented Mar 8, 2019

What's the latest state here?

@lauraGgit lauraGgit closed this Mar 13, 2019
@stevegsa stevegsa reopened this Mar 20, 2019
@stevegsa stevegsa force-pushed the stevegsa-whitelist-loa3-sps branch from fdc3bae to 543f8c0 Compare March 20, 2019 18:08
@stevegsa
Copy link
Contributor Author

@jgsmith-usds I tested the scopes requesting ssn for IAL1, etc. and it correctly returned only IAL1 fields (email). wrt changing an SP's IAL level from IAL2 to IAL1 and the persisted scopes in identities: I say we create a new story for that scenario and fix it if it does not work properly.

stevegsa added 13 commits March 20, 2019 15:24
@stevegsa
LG-744 Service Provider attributes should be whitelisted for ability …
47b64ea 
…to receive LOA3 data

**Why**: Service providers should only receive fields that they have declared when the SP was setup in the service_providers.yml.  This will prevent sending LOA3 data to an LOA1 only sp.

**How**: Update the presenter which tells the user what fields are being returned and the attribute asserter which assembles the fields to be returned.  Send only the intersection of fields requested with the fields declared for the SP in the service_providers.yml.
@stevegsa
Fix spec 2
bb8a3c5
@stevegsa
Fix spec 3
7e1d39b
@stevegsa
Fix spec 4
a898c9d
@stevegsa
Switch to ial
e100380
@stevegsa
Revert
26afee3
@stevegsa
Fix spec
09b5fb1
@stevegsa
Add OIDC
4916340
@stevegsa
Add ial2 to an sp
1d3028f
@stevegsa
Added more ial 2
40c20ba
@stevegsa
Fix oidc spec
a4632cf
@stevegsa
Lint
7c25bd4
@stevegsa
Typo
1a8e53f
@stevegsa stevegsa force-pushed the stevegsa-whitelist-loa3-sps branch from 4b921cb to 1a8e53f Compare March 20, 2019 19:24
brodygov added a commit to 18F/identity-dashboard that referenced this pull request Mar 20, 2019
@brodygov
Add IAL attribute to service providers.
65c82b7 
This is a dependency for 18F/identity-idp#2672

The IDP will soon start enforcing validation such that IAL1 service
providers can only request IAL1 attributes, not sensitive attributes.

By default the IDP will consider service providers to be at IAL1. So in
order to avoid any service providers that are relying upon IAL2/LOA3
data, we have to add a corresponding attribute to service providers in
the dashboard.
@brodygov brodygov mentioned this pull request Mar 20, 2019
Merged
@stevegsa stevegsa merged commit 3edc312 into master Mar 21, 2019
stevegsa pushed a commit to 18F/identity-dashboard that referenced this pull request Mar 21, 2019
@brodygov @stevegsa
Add IAL attribute to service providers. (#198)
9010ac0 
* Add IAL attribute to service providers.

This is a dependency for 18F/identity-idp#2672

The IDP will soon start enforcing validation such that IAL1 service
providers can only request IAL1 attributes, not sensitive attributes.

By default the IDP will consider service providers to be at IAL1. So in
order to avoid any service providers that are relying upon IAL2/LOA3
data, we have to add a corresponding attribute to service providers in
the dashboard.
@stevegsa stevegsa mentioned this pull request Mar 21, 2019
Merged
@brodygov brodygov deleted the stevegsa-whitelist-loa3-sps branch March 21, 2019 19:07
cpbgsa pushed a commit that referenced this pull request Mar 22, 2019
@stevegsa @cpbgsa
LG-744 Whitelist SP attributes for ability to receive LOA3 data (#2672)
1cd3a09 
* LG-744 Service Provider attributes should be whitelisted for ability to receive LOA3 data

**Why**: Service providers should only receive fields that they have declared when the SP was setup in the service_providers.yml.  This will prevent sending LOA3 data to an LOA1 only sp.

**How**: Update the presenter which tells the user what fields are being returned and the attribute asserter which assembles the fields to be returned.  Send only the intersection of fields requested with the fields declared for the SP in the service_providers.yml.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgsmith-usds jgsmith-usds jgsmith-usds left review comments

@jmhooper jmhooper jmhooper approved these changes

Assignees
No one assigned
Labels
status - ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stevegsa @jmhooper @brodygov @jgsmith-usds @lauraGgit