Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 #1507

Merged
merged 18 commits into from
Sep 16, 2024
Merged

feat: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 #1507

merged 18 commits into from
Sep 16, 2024

Conversation

dadrus
Copy link
Owner

@dadrus dadrus commented May 31, 2024
edited
Loading

Related issue(s)

closes #1493

Checklist

  • I agree to follow this project's Code of Conduct.
  • I have read, and I am following this repository's Contributing Guidelines.
  • I have read the Security Policy.
  • I have referenced an issue describing the bug/feature request.
  • I have added tests that prove the correctness of my implementation.
  • I have updated the documentation.

Description

This PR implements a new endpoint auth strategy named http_message_signatures which allows signing outbound requests according to RFC 9421 initiated by heimdall to other systems.

To make use of this functionality, configure the relevant endpoint as shown below:

endpoint:
  url: http://example.com
  auth:
    type: http_message_signatures
    config:
       # see supported options below

Following configuration options are supported:

# ttl for the signature (optional). Defaults to 1m. 
# Responsible for setting `created` and `expires` parameters in the resulting signature.
ttl: 1m
# The label to use (optional). Defaults to `sig`
label: sig
# The components to be covered by the signature (Mandatory). 
# Although the RFC allows signatures which do not cover any components, 
# it is a bad practice security wise
components: ["@method"]
# Configuration of the signer (Mandatory)
signer:
  # The name of the signer (Optional). Is used to set the `tag` parameter in the
  # resulting signature. Defaults to `heimdall`.
  name: heimdall
  # The key to use from the key store (Optional). If not specified, the first entry
  # is taken from the key store. The `keyid` property of the resulting signature
  # is taken from the used key store entry.
  key_id: key1
  # Configuration of the key store (Mandatory).
  key_store:
    # The password for the key store (Optional)
    password: secret
    # The path to the pem file (Mandatory)
    path: /path/to/keystore.pem

When the auth strategy is executed, the resulting request will contain Signature and Signature-Input headers similar to those shown below:

Signature-Input: sig=("@method");created=1723900795;expires=1723900855;keyid="key1";alg="ecdsa-p384-sha384";nonce="m8gxhYfozC91GHrrYEg6Tw==";tag="heimdall"
Signature: sig=:ef0zZeDAXJ5wLesWVcwhIAvNWS0vE3zt7cpPkVXcc4r6B3UfQT55TLBp8ok0sgSEx4wIJamkU7c6k9KChSU0jiHgAyo0ZSoqiI17OWqgrm3SOXcOaLP9VFo80m1Wl8dp:

Further related functionality:

  • Hot reloading of the key store is supported if secrets_reload_enabled is set to true (global setting).
  • The public key material from the key store is not exposed via the available jwks endpoint.
  • If the referenced key store entry has a certificate, respectively a certificate chain,
    • it is verified for validity when loaded, including whether the key material can be used for signing purposes (key usage), and
    • metrics for the certificate(s) are exposed as for the other certificates used by heimdall.

@codecov Codecov
Copy link

codecov bot commented May 31, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 94.73684% with 10 lines in your changes missing coverage. Please review.

Project coverage is 89.81%. Comparing base (2577f56) to head (f81be24).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
...s/endpoint/authstrategy/http_message_signatures.go 94.95% 6 Missing ⚠️
...ules/endpoint/authstrategy/mapstructure_decoder.go 88.00% 2 Missing and 1 partial ⚠️
...hanisms/authenticators/basic_auth_authenticator.go 80.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1507      +/-   ##
==========================================
+ Coverage   89.72%   89.81%   +0.09%     
==========================================
  Files         270      271       +1     
  Lines        9012     9154     +142     
==========================================
+ Hits         8086     8222     +136     
- Misses        685      691       +6     
  Partials      241      241

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dadrus dadrus changed the title feat: New auth type strategy to create http message signatures according to RFC 9421 feat: New endpoint auth type to create http message signatures according to RFC 9421 four outbound requests May 31, 2024
@dadrus dadrus changed the title feat: New endpoint auth type to create http message signatures according to RFC 9421 four outbound requests feat: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 May 31, 2024
@dadrus dadrus changed the title feat: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 wip: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 Jun 5, 2024
@dadrus dadrus mentioned this pull request Jun 11, 2024
Merged
6 tasks
@dadrus
Copy link
Owner Author

dadrus commented Jun 11, 2024

Work on this PR will continue as soon as #1534 is merged

@dadrus dadrus marked this pull request as draft July 1, 2024 18:38
@dadrus dadrus marked this pull request as ready for review August 19, 2024 07:21
@dadrus dadrus changed the title wip: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 feat: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 Sep 16, 2024
@dadrus dadrus merged commit 672988d into main Sep 16, 2024
28 checks passed
@dadrus dadrus deleted the feat/http_message_signature_auth_type branch September 16, 2024 10:39
@github-actions github-actions bot mentioned this pull request Sep 16, 2024
Merged
@github-actions github-actions bot mentioned this pull request Dec 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for message signatures (RFC 9421)
1 participant
@dadrus