search

GSA / data.gov

Main repository for the data.gov service
https://data.gov
Other
582 stars 91 forks source link

Fetch and verify remote IdP metadata in CKAN #2860

Open adborden opened 3 years ago

adborden commented 3 years ago

User Story

In order to follow best practices in security by fetching up-to-date metadata and verifying its authenticity, data.gov team wants to use pysaml2's remote metadata feature to fetch and verify the IdP metadata at runtime.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed]

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]

Sketch

Update ckan config similar to this:

ckanext.saml2auth.idp_metadata.location=remote
ckanext.saml2auth.idp_metadata.remote_cert = path/to/idp_certificate.pem  # From the IdP https://developers.login.gov/saml/#signing-certificates
ckanext.saml2auth.idp_metadata.remote_url = https://idp.int.identitysandbox.gov/api/saml/metadata2020

Maybe see an error like this:

   2021-02-19T12:02:10.57-0800 [APP/PROC/WEB/0] ERR 2021-02-19 20:02:10,577 INFO  [repoze.who] -- repoze.who request started (/user/saml2login) --
   2021-02-19T12:02:10.57-0800 [APP/PROC/WEB/0] ERR 2021-02-19 20:02:10,577 INFO  [repoze.who] no identities found, not authenticating
   2021-02-19T12:02:10.58-0800 [APP/PROC/WEB/0] ERR 2021-02-19 20:02:10,580 INFO  [ckanext.saml2auth.spconfig] Config sent {u'entityid': 'urn:gov:gsa:SAML:2.0.profiles:sp:sso:gsa:datagov-development-inventory', u'debug': 0, u'encryption_keypairs': [{u'key_file': '/home/vcap/tmp/tmp.CbgXYSlsia/saml2_key.pem', u'cert_file': '/home/vcap/tmp/tmp.CbgXYSlsia/saml2_certificate.pem'}], u'name_form': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', u'cert_file': '/home/vcap/tmp/tmp.CbgXYSlsia/saml2_certificate.pem', u'service': {u'sp': {u'want_response_signed': False, u'want_assertions_signed': False, u'name_id_format': ['urn:oasis:names:tc:saml:2.0:nameid-format:persistent', 'urn:oasis:names:tc:saml:2.0:nameid-format:transient', 'n:oasis:names:tc:saml:2.0:nameid-format:emailaddress'], u'name': u'CKAN SP', u'allow_unsolicited': True, u'endpoints': {u'assertion_consumer_service': [u'https://inventory-dev-datagov.app.cloud.gov/acs']}, u'want_assertions_or_response_signed': True}}, u'description': u'CKAN saml2 Service Provider', u'key_file': '/home/vcap/tmp/tmp.CbgXYSlsia/saml2_key.pem', u'metadata': {u'remote': [{u'cert': '/home/vcap/tmp/tmp.CbgXYSlsia/saml2_idp_certificate.pem', u'url': 'https://idp.int.identitysandbox.gov/api/saml/metadata2020'}]}, u'allow_unknown_attributes': 'true'}
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR 2021-02-19 20:02:10,712 ERROR [saml2.sigver] returncode=1
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR error=func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=341:obj=x509-store:subj=unknown:error=71:certificate verification failed:X509_verify_cert: subject=/C=US/ST=District of Columbia/O=GSA/OU=TTS/OU=Login.gov/CN=secure.identitysandbox.gov; issuer=/C=US/ST=District of Columbia/O=GSA/OU=TTS/OU=Login.gov/CN=secure.identitysandbox.gov; err=18; msg=self signed certificate
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=380:obj=x509-store:subj=unknown:error=71:certificate verification failed:subject=/C=US/ST=District of Columbia/O=GSA/OU=TTS/OU=Login.gov/CN=secure.identitysandbox.gov; issuer=/C=US/ST=District of Columbia/O=GSA/OU=TTS/OU=Login.gov/CN=secure.identitysandbox.gov; err=18; msg=self signed certificate
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecXPathDataExecute:file=xpath.c:line=240:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_466e0e90-551b-0139-8d2d-061b8399f741')); xml error: 0: NULL
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecXPathDataListExecute:file=xpath.c:line=323:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecTransformXPathExecute:file=xpath.c:line=424:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2101:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1037:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecTransformCtxExecute:file=transforms.c:line=1084:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1405:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=750:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=512:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR func=xmlSecDSigCtxVerify:file=xmldsig.c:line=341:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR Error: signature failed
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR ERROR
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR SignedInfo References (ok/all): 0/1
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR Manifests References (ok/all): 0/0
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR Error: failed to verify file "/home/vcap/tmp/tmptTnyDn.xml"
   2021-02-19T12:02:10.71-0800 [APP/PROC/WEB/0] ERR output=
   2021-02-19T12:02:10.72-0800 [APP/PROC/WEB/0] ERR 2021-02-19 20:02:10,726 INFO  [repoze.who] no challenge required
   2021-02-19T12:02:10.72-0800 [APP/PROC/WEB/0] ERR 2021-02-19 20:02:10,726 INFO  [repoze.who] -- repoze.who request ended (/user/saml2login) --

In the pysaml2 config, we are correctly specifying remote.cert and remote.url. xmlsec is complaining the the IdP certificate is self-signed, but that should be fine since we are provided a trusted certificate. It's possible this is a bug in pysaml2 4.9.0 and might be fixed in recent versions.

mogul commented 3 years ago

No urgency here as we expect login.gov will be notifying us when they plan to expire the metadata at the existing URL.