From f071b5206a65efc7e058eac9d6b4099132a3c91c Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Tue, 10 Dec 2024 12:35:04 -0600 Subject: [PATCH 01/11] rename to primary --- app/forms/openid_connect_logout_form.rb | 2 +- app/presenters/openid_connect_certs_presenter.rb | 2 +- app/services/id_token_builder.rb | 4 ++-- app/services/push_notification/http_push.rb | 4 ++-- config/initializers/app_artifacts.rb | 16 ++++++++++------ spec/forms/openid_connect_logout_form_spec.rb | 5 ++++- spec/forms/openid_connect_token_form_spec.rb | 2 +- spec/forms/security_event_form_spec.rb | 2 +- .../openid_connect_certs_presenter_spec.rb | 2 +- spec/services/id_token_builder_spec.rb | 6 ++++-- .../services/push_notification/http_push_spec.rb | 10 +++++----- .../features/push_notifications_helper.rb | 2 +- spec/support/oidc_auth_helper.rb | 2 +- spec/support/private_key_file_helper.rb | 4 ++-- 14 files changed, 36 insertions(+), 27 deletions(-) diff --git a/app/forms/openid_connect_logout_form.rb b/app/forms/openid_connect_logout_form.rb index 68ebffdc411..02d17fc80d4 100644 --- a/app/forms/openid_connect_logout_form.rb +++ b/app/forms/openid_connect_logout_form.rb @@ -87,7 +87,7 @@ def load_identity identity_from_client_id else payload, _headers = JWT.decode( - id_token_hint, AppArtifacts.store.oidc_public_key, true, + id_token_hint, AppArtifacts.store.oidc_primary_public_key, true, algorithm: 'RS256', leeway: Float::INFINITY ).map(&:with_indifferent_access) diff --git a/app/presenters/openid_connect_certs_presenter.rb b/app/presenters/openid_connect_certs_presenter.rb index 245bbcbffb9..c620e59eea8 100644 --- a/app/presenters/openid_connect_certs_presenter.rb +++ b/app/presenters/openid_connect_certs_presenter.rb @@ -10,7 +10,7 @@ def certs private def keys - [AppArtifacts.store.oidc_public_key].map do |key| + [AppArtifacts.store.oidc_primary_public_key].map do |key| { alg: 'RS256', use: 'sig', diff --git a/app/services/id_token_builder.rb b/app/services/id_token_builder.rb index 4ce7f9c926e..0df1aef172c 100644 --- a/app/services/id_token_builder.rb +++ b/app/services/id_token_builder.rb @@ -16,9 +16,9 @@ def initialize(identity:, code:, custom_expiration: nil, now: Time.zone.now) def id_token JWT.encode( jwt_payload, - AppArtifacts.store.oidc_private_key, + AppArtifacts.store.oidc_primary_private_key, 'RS256', - kid: JWT::JWK.new(AppArtifacts.store.oidc_private_key).kid, + kid: JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, ) end diff --git a/app/services/push_notification/http_push.rb b/app/services/push_notification/http_push.rb index a4a51e8ae99..48f24872c8f 100644 --- a/app/services/push_notification/http_push.rb +++ b/app/services/push_notification/http_push.rb @@ -62,10 +62,10 @@ def jwt(service_provider) JWT.encode( payload, - AppArtifacts.store.oidc_private_key, + AppArtifacts.store.oidc_primary_private_key, 'RS256', typ: 'secevent+jwt', - kid: JWT::JWK.new(AppArtifacts.store.oidc_private_key).kid, + kid: JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, ) end diff --git a/config/initializers/app_artifacts.rb b/config/initializers/app_artifacts.rb index 2f82b258b3a..e0d76f28554 100644 --- a/config/initializers/app_artifacts.rb +++ b/config/initializers/app_artifacts.rb @@ -10,12 +10,16 @@ store.add_artifact(:saml_2024_cert, '/%s/saml2024.crt') store.add_artifact(:saml_2024_key, '/%s/saml2024.key.enc') - store.add_artifact(:oidc_private_key, '/%s/oidc.key') { |k| OpenSSL::PKey::RSA.new(k) } - store.add_artifact(:oidc_public_key, '/%s/oidc.pub') { |k| OpenSSL::PKey::RSA.new(k) } + store.add_artifact(:oidc_primary_private_key, '/%s/oidc.key') do |k| + OpenSSL::PKey::RSA.new(k) + end + store.add_artifact(:oidc_primary_public_key, '/%s/oidc.pub') do |k| + OpenSSL::PKey::RSA.new(k) + end end -valid = OpenidConnectKeyValidation.valid?( - public_key: AppArtifacts.store.oidc_public_key, - private_key: AppArtifacts.store.oidc_private_key, +primary_valid = OpenidConnectKeyValidation.valid?( + public_key: AppArtifacts.store.oidc_primary_public_key, + private_key: AppArtifacts.store.oidc_primary_private_key, ) -raise 'OIDC Public/Private Keys do not match' if !valid +raise 'OIDC Primary Public/Private Keys do not match' if !primary_valid diff --git a/spec/forms/openid_connect_logout_form_spec.rb b/spec/forms/openid_connect_logout_form_spec.rb index 60a635f5196..543af454932 100644 --- a/spec/forms/openid_connect_logout_form_spec.rb +++ b/spec/forms/openid_connect_logout_form_spec.rb @@ -151,7 +151,10 @@ context 'with a payload that does not correspond to an identity' do let(:id_token_hint) do - JWT.encode({ sub: '123', aud: '456' }, AppArtifacts.store.oidc_private_key, 'RS256') + JWT.encode( + { sub: '123', aud: '456' }, + AppArtifacts.store.oidc_primary_private_key, 'RS256' + ) end it 'is not valid' do diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb index b039b2ac37c..ef92d2c6893 100644 --- a/spec/forms/openid_connect_token_form_spec.rb +++ b/spec/forms/openid_connect_token_form_spec.rb @@ -46,7 +46,7 @@ let(:client_private_key) do OpenSSL::PKey::RSA.new(Rails.root.join('keys', 'saml_test_sp.key').read) end - let(:server_public_key) { AppArtifacts.store.oidc_public_key } + let(:server_public_key) { AppArtifacts.store.oidc_primary_public_key } let(:user) { create(:user) } diff --git a/spec/forms/security_event_form_spec.rb b/spec/forms/security_event_form_spec.rb index 19241a31a5f..8da60070281 100644 --- a/spec/forms/security_event_form_spec.rb +++ b/spec/forms/security_event_form_spec.rb @@ -211,7 +211,7 @@ context 'when signed with a different key than registered to the SP' do let(:rp_private_key) do - OpenSSL::PKey::RSA.new(AppArtifacts.store.oidc_private_key) + OpenSSL::PKey::RSA.new(AppArtifacts.store.oidc_primary_private_key) end it 'is invalid' do diff --git a/spec/presenters/openid_connect_certs_presenter_spec.rb b/spec/presenters/openid_connect_certs_presenter_spec.rb index 7babb6a127e..59d39e54d38 100644 --- a/spec/presenters/openid_connect_certs_presenter_spec.rb +++ b/spec/presenters/openid_connect_certs_presenter_spec.rb @@ -12,7 +12,7 @@ expect(json[:keys].all? { |k| k[:use] == 'sig' }).to eq(true) key_from_response = JWT::JWK.import(json[:keys].first).public_key - public_key = AppArtifacts.store.oidc_public_key + public_key = AppArtifacts.store.oidc_primary_public_key expect(key_from_response.to_pem).to eq(public_key.to_pem) end diff --git a/spec/services/id_token_builder_spec.rb b/spec/services/id_token_builder_spec.rb index 23c666383bf..ed1b005d29a 100644 --- a/spec/services/id_token_builder_spec.rb +++ b/spec/services/id_token_builder_spec.rb @@ -37,7 +37,7 @@ let(:decoded_id_token) do JWT.decode( id_token, - AppArtifacts.store.oidc_public_key, + AppArtifacts.store.oidc_primary_public_key, true, algorithm: 'RS256', ).map(&:with_indifferent_access) @@ -224,7 +224,9 @@ end it 'sets the kid for the signing key in the JWT headers' do - expect(decoded_headers[:kid]).to eq(JWT::JWK.new(AppArtifacts.store.oidc_private_key).kid) + expect(decoded_headers[:kid]).to eq( + JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, + ) end end end diff --git a/spec/services/push_notification/http_push_spec.rb b/spec/services/push_notification/http_push_spec.rb index 8288fa9287b..6b532486a36 100644 --- a/spec/services/push_notification/http_push_spec.rb +++ b/spec/services/push_notification/http_push_spec.rb @@ -48,14 +48,14 @@ jwt_payload, headers = JWT.decode( args[:jwt], - AppArtifacts.store.oidc_public_key, + AppArtifacts.store.oidc_primary_public_key, true, algorithm: 'RS256', - kid: JWT::JWK.new(AppArtifacts.store.oidc_private_key).kid, + kid: JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, ) expect(headers['typ']).to eq('secevent+jwt') - expect(headers['kid']).to eq(JWT::JWK.new(AppArtifacts.store.oidc_private_key).kid) + expect(headers['kid']).to eq(JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid) expect(jwt_payload['iss']).to eq(root_url) expect(jwt_payload['iat']).to eq(now.to_i) @@ -82,10 +82,10 @@ expect { deliver }.to have_enqueued_job(RiscDeliveryJob).with { |args| jwt_payload, _headers = JWT.decode( args[:jwt], - AppArtifacts.store.oidc_public_key, + AppArtifacts.store.oidc_primary_public_key, true, algorithm: 'RS256', - kid: JWT::JWK.new(AppArtifacts.store.oidc_private_key).kid, + kid: JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, ) expect(jwt_payload['events'][event.event_type]['subject']['sub']).to eq(agency_uuid) } diff --git a/spec/support/features/push_notifications_helper.rb b/spec/support/features/push_notifications_helper.rb index f4fc3ede131..158dc8311e5 100644 --- a/spec/support/features/push_notifications_helper.rb +++ b/spec/support/features/push_notifications_helper.rb @@ -3,7 +3,7 @@ def stub_push_notification_request(sp_push_notification_endpoint:, event_type:, stub_request(:post, sp_push_notification_endpoint).with do |request| parsed_jwt, _jwt_headers = JWT.decode( request.body, - AppArtifacts.store.oidc_public_key, + AppArtifacts.store.oidc_primary_public_key, true, algorithm: 'RS256', ) diff --git a/spec/support/oidc_auth_helper.rb b/spec/support/oidc_auth_helper.rb index acfcfb75f79..52c7f6fe16b 100644 --- a/spec/support/oidc_auth_helper.rb +++ b/spec/support/oidc_auth_helper.rb @@ -207,7 +207,7 @@ def oidc_decoded_token def oidc_decoded_id_token @oidc_decoded_id_token ||= JWT.decode( oidc_decoded_token[:id_token], - AppArtifacts.store.oidc_public_key, + AppArtifacts.store.oidc_primary_public_key, true, algorithm: 'RS256', ).first.with_indifferent_access diff --git a/spec/support/private_key_file_helper.rb b/spec/support/private_key_file_helper.rb index 3d9d99e2f4e..b623efaaae4 100644 --- a/spec/support/private_key_file_helper.rb +++ b/spec/support/private_key_file_helper.rb @@ -1,5 +1,5 @@ module PrivateKeyFileHelper - # Returns the private key in AppArtifacts.store.oidc_private_key if + # Returns the private key in AppArtifacts.store.oidc_primary_private_key if # Identity::Hostdata.in_datacenter? or if the private key file does # not exist; otherwise, the private key from the file is returned. def private_key_from_store_or(file_name:) @@ -12,7 +12,7 @@ def private_key_from_store_or(file_name:) if File.exist?(file_name) OpenSSL::PKey::RSA.new(File.read(file_name)) else - return AppArtifacts.store.oidc_private_key + return AppArtifacts.store.oidc_primary_private_key end end From 5dc846cccea319974c1ded250358760593ce8cc6 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Tue, 10 Dec 2024 15:28:56 -0600 Subject: [PATCH 02/11] placeholder --- config/initializers/app_artifacts.rb | 21 +++++++++++++++++++++ lib/app_artifacts.rb | 5 +++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/config/initializers/app_artifacts.rb b/config/initializers/app_artifacts.rb index e0d76f28554..57a63ff66ef 100644 --- a/config/initializers/app_artifacts.rb +++ b/config/initializers/app_artifacts.rb @@ -16,6 +16,18 @@ store.add_artifact(:oidc_primary_public_key, '/%s/oidc.pub') do |k| OpenSSL::PKey::RSA.new(k) end + store.add_artifact( + :oidc_secondary_private_key, '/%s/oidc_secondary.key', + allow_missing: true + ) do |k| + OpenSSL::PKey::RSA.new(k) if !k.nil? + end + store.add_artifact( + :oidc_secondary_public_key, '/%s/oidc_secondary.pub', + allow_missing: true + ) do |k| + OpenSSL::PKey::RSA.new(k) if !k.nil? + end end primary_valid = OpenidConnectKeyValidation.valid?( @@ -23,3 +35,12 @@ private_key: AppArtifacts.store.oidc_primary_private_key, ) raise 'OIDC Primary Public/Private Keys do not match' if !primary_valid + +secondary_valid = + (AppArtifacts.store.oidc_secondary_private_key.nil? && + AppArtifacts.store.oidc_secondary_public_key.nil?) || + OpenidConnectKeyValidation.valid?( + public_key: AppArtifacts.store.oidc_secondary_public_key, + private_key: AppArtifacts.store.oidc_secondary_private_key, + ) +raise 'OIDC Secondary Public/Private Keys are invalid' if !secondary_valid diff --git a/lib/app_artifacts.rb b/lib/app_artifacts.rb index 31f2ebb82c7..6861d18a4ed 100644 --- a/lib/app_artifacts.rb +++ b/lib/app_artifacts.rb @@ -27,9 +27,10 @@ def build # @param [Symbol] name # @param [String] path - def add_artifact(name, path) + # @param [Boolean] allow_missing + def add_artifact(name, path, allow_missing: false) value = read_artifact(path) - raise MissingArtifactError.new("missing artifact: #{path}") if value.nil? + raise MissingArtifactError.new("missing artifact: #{path}") if value.nil? && !allow_missing value = yield(value) if block_given? @artifacts[name] = value nil From 81fdd102b2cd88380c3bf86ce82bd9520378aa72 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 14:16:20 -0600 Subject: [PATCH 03/11] allow decoding id_token_hint with either OIDC key --- app/forms/openid_connect_logout_form.rb | 30 ++++++++++++------- spec/forms/openid_connect_logout_form_spec.rb | 21 +++++++++++++ 2 files changed, 41 insertions(+), 10 deletions(-) diff --git a/app/forms/openid_connect_logout_form.rb b/app/forms/openid_connect_logout_form.rb index 02d17fc80d4..b9a4f7c8fe7 100644 --- a/app/forms/openid_connect_logout_form.rb +++ b/app/forms/openid_connect_logout_form.rb @@ -86,22 +86,32 @@ def load_identity if reject_id_token_hint? identity_from_client_id else + identity_from_token_hint(id_token_hint) || identity_from_client_id + end + end + + def identity_from_token_hint(id_token_hint) + return nil if id_token_hint.blank? + payload, _headers = nil + + _matching_cert = [ + AppArtifacts.store.oidc_primary_public_key, + AppArtifacts.store.oidc_secondary_public_key, + ].compact.find do |key| payload, _headers = JWT.decode( - id_token_hint, AppArtifacts.store.oidc_primary_public_key, true, + id_token_hint, key, true, algorithm: 'RS256', leeway: Float::INFINITY ).map(&:with_indifferent_access) - - identity_from_payload(payload) || identity_from_client_id + rescue JWT::DecodeError + next end - rescue JWT::DecodeError - nil - end - def identity_from_payload(payload) - uuid = payload[:sub] - sp = payload[:aud] - AgencyIdentityLinker.sp_identity_from_uuid_and_sp(uuid, sp) + if payload + uuid = payload[:sub] + sp = payload[:aud] + AgencyIdentityLinker.sp_identity_from_uuid_and_sp(uuid, sp) + end end def id_token_hint_or_client_id_present diff --git a/spec/forms/openid_connect_logout_form_spec.rb b/spec/forms/openid_connect_logout_form_spec.rb index 543af454932..cbc9f0f08b5 100644 --- a/spec/forms/openid_connect_logout_form_spec.rb +++ b/spec/forms/openid_connect_logout_form_spec.rb @@ -149,6 +149,27 @@ end end + context 'with a valid payload that was signed with the secondary OIDC key' do + let(:id_token_hint) do + JWT.encode( + { sub: identity.uuid, aud: identity.service_provider }, + AppArtifacts.store.oidc_secondary_private_key, 'RS256' + ) + end + + it 'is valid' do + secondary_private_key = OpenSSL::PKey::RSA.generate(1_024) + secondary_public_key = secondary_private_key.public_key + allow(AppArtifacts.store).to receive(:oidc_secondary_private_key).and_return( + secondary_private_key, + ) + allow(AppArtifacts.store).to receive(:oidc_secondary_public_key).and_return( + secondary_public_key, + ) + expect(valid?).to eq(true) + end + end + context 'with a payload that does not correspond to an identity' do let(:id_token_hint) do JWT.encode( From a37337f3847cc4336842aeffa86b4789a97c62e7 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 14:52:55 -0600 Subject: [PATCH 04/11] remove extraneous class creation --- spec/forms/security_event_form_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/forms/security_event_form_spec.rb b/spec/forms/security_event_form_spec.rb index 8da60070281..b4f96a5a7b3 100644 --- a/spec/forms/security_event_form_spec.rb +++ b/spec/forms/security_event_form_spec.rb @@ -211,7 +211,7 @@ context 'when signed with a different key than registered to the SP' do let(:rp_private_key) do - OpenSSL::PKey::RSA.new(AppArtifacts.store.oidc_primary_private_key) + AppArtifacts.store.oidc_primary_private_key end it 'is invalid' do From ecbaafa812150e028f06f11128eb0e3e5d7749ca Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 15:49:06 -0600 Subject: [PATCH 05/11] support two keys changelog: Internal, OpenID Connect, Support two OIDC key-pairs --- .../openid_connect_certs_presenter.rb | 23 +++++++------- .../local/oidc_secondary.key | 30 +++++++++++++++++++ .../local/oidc_secondary.pub | 9 ++++++ spec/forms/openid_connect_logout_form_spec.rb | 8 ----- .../openid_connect_certs_presenter_spec.rb | 16 ++++++---- 5 files changed, 61 insertions(+), 25 deletions(-) create mode 100644 config/artifacts.example/local/oidc_secondary.key create mode 100644 config/artifacts.example/local/oidc_secondary.pub diff --git a/app/presenters/openid_connect_certs_presenter.rb b/app/presenters/openid_connect_certs_presenter.rb index c620e59eea8..8268c7c6d81 100644 --- a/app/presenters/openid_connect_certs_presenter.rb +++ b/app/presenters/openid_connect_certs_presenter.rb @@ -1,20 +1,19 @@ # frozen_string_literal: true class OpenidConnectCertsPresenter + KEYS = [ + AppArtifacts.store.oidc_primary_public_key, + AppArtifacts.store.oidc_secondary_public_key, + ].compact.map do |key| + { + alg: 'RS256', + use: 'sig', + }.merge(JWT::JWK.new(key).export) + end.freeze + def certs { - keys: keys, + keys: KEYS, } end - - private - - def keys - [AppArtifacts.store.oidc_primary_public_key].map do |key| - { - alg: 'RS256', - use: 'sig', - }.merge(JWT::JWK.new(key).export) - end - end end diff --git a/config/artifacts.example/local/oidc_secondary.key b/config/artifacts.example/local/oidc_secondary.key new file mode 100644 index 00000000000..518378f7ca4 --- /dev/null +++ b/config/artifacts.example/local/oidc_secondary.key @@ -0,0 +1,30 @@ +This is a public example key used for testing and local development. +Even though it appears to be a private key, it is not secret and is intended to be public. + +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA1a4Vx1KKS9ByDlNgX+Z7hiojyA9U5f8iu4wNesiOdtWmHG9O +d7QsIpPV2A/yf7Y0X2nEWAABdHtAmrvmmJbP1aofmhaxAmYQXYJSloACZFA5qVdT +cV2jKA3+ZCCgZDj6bXWhERFQRIBbKIc7VWtxM/M5lhpnTEsy55XIN0iXoq1cM539 +GtKp5XfGTQ1Pv9ovCJ1//WH1vBnhXwd62kExk+Snp/9X+eLBoguQcNofphQOsLIu +b7t9YuqI9xbQZDCfy280R3jV6K9g/ZlIoKfE18q9MI5n4U7L8W0/DopImyYCJltM +zcJtcvSUVCapOK+bnwnnaDvke67lA1kyReZnmwIDAQABAoIBAQC1xR9VrctjbvB3 +a0nCishtew9xMkmgVYdwT1VwK4e1Y02pRq5TeftJdsUkxXweVBr9R3X0/hw+wFJW +zpz9FN27/rpfVApD5hrp0OD8kex29R/4BAdBmsweWLkc5/xJBYdS8guP/1Bu1Vm2 +gkNhCMMF1FQacl+JMTcedfYZwTDs+kjX4i5ccY9xXdHQSYikCSZOcrcqD5949FZd +3SjIMrYaY8Mf6WFsWXMzsXNef7eVoeK7MLPbe9+jsdyrswk/3qMrUSmYG+hVSkCp +lO0S3ZD+INbOHQe0x3v88rNMJVe6VrwFMauDDXs3s7TVelqDjsyA8uAKCUR+amVj +9/6e7d4RAoGBAP8RZlOVTkfKxgZPjoYEOVq9kMRCbF+4S/6ZGflpNBEQAPyegooh +5GP7k/QzqA+D9wHIl7ATslW3i3CNOnhIX77TuRanErtQ6KMSKoX4I+FBJyZWpFml +FF9t5xkRrUHLk3dP925y/ZguuQHWOsO4jZOn0lSYGYSCYTwoR+X4jX7PAoGBANZ1 ++DECFAA6R+/0/neHuzHOFukrIJicekBm0mkIq333DjXAZBDZsqNG6lbfpNCe5Z/J +zv0BCL7m50ypmRh6jp8lqndm8A/ONy4XkB9QrYd+ftTIZGm3bvFdjgbqNUGplfwQ +yFF/mcvY/2y48M9Uwr+SDPJZNzhGAxQQ/3zjwh11AoGAXziNrNJmYOLQPnbgzCMz +ji6KptntP2a76BYb3kJqD5yb4bMDJLI2YyT+PQIz0WcAhYfvKOqRfvKAecofc9wA +8mp0BILmuUshLg+QFGdobaU3Clb6EAVSr7WFupQgzBlFuhr+UhtXlMKMiqUBVyPE +psTV/oKxtAhAaIbZIH9Dw30CgYEAwgMG/I78uRgAbDwe2NOZrXzbjSTO4EDu98QN +JagKPHJ8EHR0EipfSQamiODZoUGeSeevsYJ1/v200c28CkEVNTRF+q7NDf9oO/Jl +F29NDP6KjsSa0mh3nTMdgXPvqe9ZGCe2kMP2xksRB7JnZ6kuZVAjFjtPkUEFF+oo +tzr0KOECgYEA7jLXEmtJZtdaHRzgEb2DxwNiHzfUg7mrBn3tbfB5V3yDdRtMzXRk +ASMMc7n+wh553Ms9A8X/75yX/Lt2+viA0q8L/ideZl7b1Of5I4E4c92WGQ0P6x6E +9JV6vfZzsKjmOBux52vvxjCUHLaBEL6y8e4mteMgvQJbY8aimU19dgU= +-----END RSA PRIVATE KEY----- diff --git a/config/artifacts.example/local/oidc_secondary.pub b/config/artifacts.example/local/oidc_secondary.pub new file mode 100644 index 00000000000..f950dab5d4b --- /dev/null +++ b/config/artifacts.example/local/oidc_secondary.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1a4Vx1KKS9ByDlNgX+Z7 +hiojyA9U5f8iu4wNesiOdtWmHG9Od7QsIpPV2A/yf7Y0X2nEWAABdHtAmrvmmJbP +1aofmhaxAmYQXYJSloACZFA5qVdTcV2jKA3+ZCCgZDj6bXWhERFQRIBbKIc7VWtx +M/M5lhpnTEsy55XIN0iXoq1cM539GtKp5XfGTQ1Pv9ovCJ1//WH1vBnhXwd62kEx +k+Snp/9X+eLBoguQcNofphQOsLIub7t9YuqI9xbQZDCfy280R3jV6K9g/ZlIoKfE +18q9MI5n4U7L8W0/DopImyYCJltMzcJtcvSUVCapOK+bnwnnaDvke67lA1kyReZn +mwIDAQAB +-----END PUBLIC KEY----- diff --git a/spec/forms/openid_connect_logout_form_spec.rb b/spec/forms/openid_connect_logout_form_spec.rb index cbc9f0f08b5..78e3af831a8 100644 --- a/spec/forms/openid_connect_logout_form_spec.rb +++ b/spec/forms/openid_connect_logout_form_spec.rb @@ -158,14 +158,6 @@ end it 'is valid' do - secondary_private_key = OpenSSL::PKey::RSA.generate(1_024) - secondary_public_key = secondary_private_key.public_key - allow(AppArtifacts.store).to receive(:oidc_secondary_private_key).and_return( - secondary_private_key, - ) - allow(AppArtifacts.store).to receive(:oidc_secondary_public_key).and_return( - secondary_public_key, - ) expect(valid?).to eq(true) end end diff --git a/spec/presenters/openid_connect_certs_presenter_spec.rb b/spec/presenters/openid_connect_certs_presenter_spec.rb index 59d39e54d38..46e9012ec97 100644 --- a/spec/presenters/openid_connect_certs_presenter_spec.rb +++ b/spec/presenters/openid_connect_certs_presenter_spec.rb @@ -4,17 +4,23 @@ subject(:presenter) { OpenidConnectCertsPresenter.new } describe '#certs' do - it 'renders the server public key as a JWK set' do + it 'renders the server public keys as a JWK set' do json = presenter.certs - expect(json[:keys].size).to eq(1) + expect(json[:keys].size).to eq(2) expect(json[:keys].all? { |k| k[:alg] == 'RS256' }).to eq(true) expect(json[:keys].all? { |k| k[:use] == 'sig' }).to eq(true) - key_from_response = JWT::JWK.import(json[:keys].first).public_key - public_key = AppArtifacts.store.oidc_primary_public_key + # Primary key should be first + primary_key_from_response = JWT::JWK.import(json[:keys].first).public_key + primary_public_key = AppArtifacts.store.oidc_primary_public_key - expect(key_from_response.to_pem).to eq(public_key.to_pem) + expect(primary_key_from_response.to_pem).to eq(primary_public_key.to_pem) + + secondary_key_from_response = JWT::JWK.import(json[:keys][1]).public_key + secondary_public_key = AppArtifacts.store.oidc_secondary_public_key + + expect(secondary_key_from_response.to_pem).to eq(secondary_public_key.to_pem) end end end From 2720d769410e69699c65f5a0bb9ed4ade0d39e90 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 16:35:53 -0600 Subject: [PATCH 06/11] add allow_missing spec --- spec/lib/app_artifacts_spec.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/spec/lib/app_artifacts_spec.rb b/spec/lib/app_artifacts_spec.rb index 55f305c487f..752bbe389f4 100644 --- a/spec/lib/app_artifacts_spec.rb +++ b/spec/lib/app_artifacts_spec.rb @@ -38,6 +38,20 @@ AppArtifacts::MissingArtifactError, 'missing artifact: /%s/test_artifact' ) end + + context 'with allow_missing: true' do + it 'does not raise an error if an artifact is missing' do + expect(secrets_s3).to receive(:read_file).with( + '/%s/test_artifact', + ).and_return(nil) + + store = instance.build do |store| + store.add_artifact(:test_artifact, '/%s/test_artifact', allow_missing: true) + end + + expect(store.test_artifact).to eq nil + end + end end context 'when running locally' do From 3530193132967317ec61727afb120b1fa30e8209 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 16:45:50 -0600 Subject: [PATCH 07/11] Update config/initializers/app_artifacts.rb Co-authored-by: Zach Margolis --- config/initializers/app_artifacts.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/app_artifacts.rb b/config/initializers/app_artifacts.rb index 57a63ff66ef..737765f416b 100644 --- a/config/initializers/app_artifacts.rb +++ b/config/initializers/app_artifacts.rb @@ -20,13 +20,13 @@ :oidc_secondary_private_key, '/%s/oidc_secondary.key', allow_missing: true ) do |k| - OpenSSL::PKey::RSA.new(k) if !k.nil? + OpenSSL::PKey::RSA.new(k) end store.add_artifact( :oidc_secondary_public_key, '/%s/oidc_secondary.pub', allow_missing: true ) do |k| - OpenSSL::PKey::RSA.new(k) if !k.nil? + OpenSSL::PKey::RSA.new(k) end end From 8dfc5b57f4bf6607c509241118e4878f3e4d0883 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 16:47:58 -0600 Subject: [PATCH 08/11] Update lib/app_artifacts.rb Co-authored-by: Zach Margolis --- lib/app_artifacts.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/app_artifacts.rb b/lib/app_artifacts.rb index 6861d18a4ed..379f7af6b8f 100644 --- a/lib/app_artifacts.rb +++ b/lib/app_artifacts.rb @@ -31,7 +31,7 @@ def build def add_artifact(name, path, allow_missing: false) value = read_artifact(path) raise MissingArtifactError.new("missing artifact: #{path}") if value.nil? && !allow_missing - value = yield(value) if block_given? + value = yield(value) if block_given? && value @artifacts[name] = value nil end From cc5a8835e39f30e5c1ab7ed5525c8b3a2f0e2d86 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Thu, 12 Dec 2024 08:00:43 -0600 Subject: [PATCH 09/11] Update spec/presenters/openid_connect_certs_presenter_spec.rb Co-authored-by: Zach Margolis --- spec/presenters/openid_connect_certs_presenter_spec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/presenters/openid_connect_certs_presenter_spec.rb b/spec/presenters/openid_connect_certs_presenter_spec.rb index 46e9012ec97..405f651ab72 100644 --- a/spec/presenters/openid_connect_certs_presenter_spec.rb +++ b/spec/presenters/openid_connect_certs_presenter_spec.rb @@ -12,14 +12,14 @@ expect(json[:keys].all? { |k| k[:use] == 'sig' }).to eq(true) # Primary key should be first - primary_key_from_response = JWT::JWK.import(json[:keys].first).public_key - primary_public_key = AppArtifacts.store.oidc_primary_public_key + primary_key_from_response, secondary_key_from_response = json[:keys].map do |key| + JWT::JWK.import(key).public_key + end + primary_public_key = AppArtifacts.store.oidc_primary_public_key expect(primary_key_from_response.to_pem).to eq(primary_public_key.to_pem) - secondary_key_from_response = JWT::JWK.import(json[:keys][1]).public_key secondary_public_key = AppArtifacts.store.oidc_secondary_public_key - expect(secondary_key_from_response.to_pem).to eq(secondary_public_key.to_pem) end end From 4386402360b3ccaa4676c6a97532c780c87d7087 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 11 Dec 2024 16:46:53 -0600 Subject: [PATCH 10/11] remove unused variable assignment --- app/forms/openid_connect_logout_form.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/forms/openid_connect_logout_form.rb b/app/forms/openid_connect_logout_form.rb index b9a4f7c8fe7..7ddc741abe5 100644 --- a/app/forms/openid_connect_logout_form.rb +++ b/app/forms/openid_connect_logout_form.rb @@ -94,9 +94,8 @@ def identity_from_token_hint(id_token_hint) return nil if id_token_hint.blank? payload, _headers = nil - _matching_cert = [ - AppArtifacts.store.oidc_primary_public_key, - AppArtifacts.store.oidc_secondary_public_key, + [ + AppArtifacts.store.oidc_primary_public_key, AppArtifacts.store.oidc_secondary_public_key ].compact.find do |key| payload, _headers = JWT.decode( id_token_hint, key, true, From 33b57dba31ff0d41776d358f652f846f4d589f74 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Thu, 12 Dec 2024 12:23:50 -0600 Subject: [PATCH 11/11] use Rails config to store OIDC keys and queues --- app/forms/openid_connect_logout_form.rb | 4 +--- app/presenters/openid_connect_certs_presenter.rb | 5 +---- config/initializers/app_artifacts.rb | 15 +++++++++++++++ spec/forms/openid_connect_token_form_spec.rb | 2 +- .../openid_connect_certs_presenter_spec.rb | 4 ++-- spec/services/id_token_builder_spec.rb | 2 +- spec/services/push_notification/http_push_spec.rb | 4 ++-- .../support/features/push_notifications_helper.rb | 2 +- spec/support/oidc_auth_helper.rb | 2 +- 9 files changed, 25 insertions(+), 15 deletions(-) diff --git a/app/forms/openid_connect_logout_form.rb b/app/forms/openid_connect_logout_form.rb index 7ddc741abe5..34c7c3391c2 100644 --- a/app/forms/openid_connect_logout_form.rb +++ b/app/forms/openid_connect_logout_form.rb @@ -94,9 +94,7 @@ def identity_from_token_hint(id_token_hint) return nil if id_token_hint.blank? payload, _headers = nil - [ - AppArtifacts.store.oidc_primary_public_key, AppArtifacts.store.oidc_secondary_public_key - ].compact.find do |key| + Rails.application.config.oidc_public_key_queue.compact.find do |key| payload, _headers = JWT.decode( id_token_hint, key, true, algorithm: 'RS256', diff --git a/app/presenters/openid_connect_certs_presenter.rb b/app/presenters/openid_connect_certs_presenter.rb index 8268c7c6d81..c90ec2fbc55 100644 --- a/app/presenters/openid_connect_certs_presenter.rb +++ b/app/presenters/openid_connect_certs_presenter.rb @@ -1,10 +1,7 @@ # frozen_string_literal: true class OpenidConnectCertsPresenter - KEYS = [ - AppArtifacts.store.oidc_primary_public_key, - AppArtifacts.store.oidc_secondary_public_key, - ].compact.map do |key| + KEYS = Rails.application.config.oidc_public_key_queue.map do |key| { alg: 'RS256', use: 'sig', diff --git a/config/initializers/app_artifacts.rb b/config/initializers/app_artifacts.rb index 737765f416b..0f7fe61374a 100644 --- a/config/initializers/app_artifacts.rb +++ b/config/initializers/app_artifacts.rb @@ -44,3 +44,18 @@ private_key: AppArtifacts.store.oidc_secondary_private_key, ) raise 'OIDC Secondary Public/Private Keys are invalid' if !secondary_valid + +Rails.application.configure do + config.oidc_public_key = AppArtifacts.store.oidc_primary_public_key + config.oidc_private_key = AppArtifacts.store.oidc_primary_private_key + + config.oidc_public_key_queue = [ + AppArtifacts.store.oidc_primary_public_key, + AppArtifacts.store.oidc_secondary_public_key, + ].compact.freeze + + config.oidc_private_key_queue = [ + AppArtifacts.store.oidc_primary_private_key, + AppArtifacts.store.oidc_secondary_private_key, + ].compact.freeze +end diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb index ef92d2c6893..b79c08aedbf 100644 --- a/spec/forms/openid_connect_token_form_spec.rb +++ b/spec/forms/openid_connect_token_form_spec.rb @@ -46,7 +46,7 @@ let(:client_private_key) do OpenSSL::PKey::RSA.new(Rails.root.join('keys', 'saml_test_sp.key').read) end - let(:server_public_key) { AppArtifacts.store.oidc_primary_public_key } + let(:server_public_key) { Rails.application.config.oidc_public_key } let(:user) { create(:user) } diff --git a/spec/presenters/openid_connect_certs_presenter_spec.rb b/spec/presenters/openid_connect_certs_presenter_spec.rb index 405f651ab72..da2bc11c601 100644 --- a/spec/presenters/openid_connect_certs_presenter_spec.rb +++ b/spec/presenters/openid_connect_certs_presenter_spec.rb @@ -16,10 +16,10 @@ JWT::JWK.import(key).public_key end - primary_public_key = AppArtifacts.store.oidc_primary_public_key + primary_public_key = Rails.application.config.oidc_public_key expect(primary_key_from_response.to_pem).to eq(primary_public_key.to_pem) - secondary_public_key = AppArtifacts.store.oidc_secondary_public_key + secondary_public_key = Rails.application.config.oidc_public_key_queue.last expect(secondary_key_from_response.to_pem).to eq(secondary_public_key.to_pem) end end diff --git a/spec/services/id_token_builder_spec.rb b/spec/services/id_token_builder_spec.rb index ed1b005d29a..e70f247e656 100644 --- a/spec/services/id_token_builder_spec.rb +++ b/spec/services/id_token_builder_spec.rb @@ -37,7 +37,7 @@ let(:decoded_id_token) do JWT.decode( id_token, - AppArtifacts.store.oidc_primary_public_key, + Rails.application.config.oidc_public_key, true, algorithm: 'RS256', ).map(&:with_indifferent_access) diff --git a/spec/services/push_notification/http_push_spec.rb b/spec/services/push_notification/http_push_spec.rb index 6b532486a36..b6b0288a695 100644 --- a/spec/services/push_notification/http_push_spec.rb +++ b/spec/services/push_notification/http_push_spec.rb @@ -48,7 +48,7 @@ jwt_payload, headers = JWT.decode( args[:jwt], - AppArtifacts.store.oidc_primary_public_key, + Rails.application.config.oidc_public_key, true, algorithm: 'RS256', kid: JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, @@ -82,7 +82,7 @@ expect { deliver }.to have_enqueued_job(RiscDeliveryJob).with { |args| jwt_payload, _headers = JWT.decode( args[:jwt], - AppArtifacts.store.oidc_primary_public_key, + Rails.application.config.oidc_public_key, true, algorithm: 'RS256', kid: JWT::JWK.new(AppArtifacts.store.oidc_primary_private_key).kid, diff --git a/spec/support/features/push_notifications_helper.rb b/spec/support/features/push_notifications_helper.rb index 158dc8311e5..b6dfd1c9330 100644 --- a/spec/support/features/push_notifications_helper.rb +++ b/spec/support/features/push_notifications_helper.rb @@ -3,7 +3,7 @@ def stub_push_notification_request(sp_push_notification_endpoint:, event_type:, stub_request(:post, sp_push_notification_endpoint).with do |request| parsed_jwt, _jwt_headers = JWT.decode( request.body, - AppArtifacts.store.oidc_primary_public_key, + Rails.application.config.oidc_public_key, true, algorithm: 'RS256', ) diff --git a/spec/support/oidc_auth_helper.rb b/spec/support/oidc_auth_helper.rb index 52c7f6fe16b..347d53b0135 100644 --- a/spec/support/oidc_auth_helper.rb +++ b/spec/support/oidc_auth_helper.rb @@ -207,7 +207,7 @@ def oidc_decoded_token def oidc_decoded_id_token @oidc_decoded_id_token ||= JWT.decode( oidc_decoded_token[:id_token], - AppArtifacts.store.oidc_primary_public_key, + Rails.application.config.oidc_public_key, true, algorithm: 'RS256', ).first.with_indifferent_access