Enable assertion encryption for login.gov [catalog-next]

[woodt]

In production configurations, login.gov requires assertions to be encrypted. In sandbox, assertion encryption was disabled because I could never get it to work. It seems like we have to revisit that choice.

Specifically, in the login.gov IDP configuration for catalog-next, change the "assertion cryptography" setting to something other than "None." Then debug :-(

2020-12-08 20:25:18,617 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:18,618 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:20,872 WARNI [ckan.lib.maintain] Function _resource_preview() in module ckan.controllers.package has been deprecated and will be removed in a later release of ckan. Resource preview is deprecated. Please use the new resource views
2020-12-08 20:25:21,014 INFO  [ckan.lib.base]  /dataset/sba-paycheck-protection-program-ppp-loan-report-as-of-05-23-2020/resource/6f0f9639-eb54-4e40-99f2-d856c62aeb75 render time 2.413 seconds
2020-12-08 20:25:23,495 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:23,497 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:27,834 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:27,835 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:30,268 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:30,268 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:31,338 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:31,339 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:31,997 INFO  [ckanext.geodatagov.plugins] Added FQ to collection_package_id
2020-12-08 20:25:33,569 INFO  [ckanext.geodatagov.plugins] Added FQ to collection_package_id
2020-12-08 20:25:33,609 INFO  [ckan.lib.base]  /organization/6735b2b0-9015-492f-a855-fbcf03185e6c render time 2.418 seconds
2020-12-08 20:25:43,865 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:43,865 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:44,066 INFO  [ckanext.geodatagov.plugins] Added FQ to collection_package_id
2020-12-08 20:25:44,477 INFO  [ckanext.geodatagov.plugins] Added FQ to collection_package_id
2020-12-08 20:25:44,510 INFO  [ckan.lib.base]  /group/consumer9350 render time 0.703 seconds
2020-12-08 20:25:55,889 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:55,889 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:57,177 ERROR [saml2.s2repoze.plugins.sp] [sp.identify] saml_error
Traceback (most recent call last):
  File "/usr/lib/ckan-new/src/pysaml2/src/saml2/s2repoze/plugins/sp.py", line 547, in identify
    environ, post, binding=binding
  File "/usr/lib/ckan-new/src/pysaml2/src/saml2/s2repoze/plugins/sp.py", line 433, in _eval_authn_response
    session_info = authresp.session_info()
  File "/usr/lib/ckan-new/src/pysaml2/src/saml2/response.py", line 1108, in session_info
    authn_statement = self.assertion.authn_statement[0]
AttributeError: 'NoneType' object has no attribute 'authn_statement'
2020-12-08 20:25:57,381 DEBUG [ckanext.saml2] REMOTE_USER = ""
2020-12-08 20:25:57,381 INFO  [ckanext.saml2] Ignoring REMOTE_USER - does not look like a NameID
2020-12-08 20:25:57,385 INFO  [ckanext.geodatagov.plugins] Added FQ to collection_package_id

[avdata99]

Notes

• Assertion encription setting (web UI) I have no permission "SAML assertion encryption". This is the IDP side
• None or Ae256cbc are the only encryption options.
• About Encryption key pairs: https://pysaml2.readthedocs.io/en/latest/howto/config.html?highlight=assertions#encryption-keypairs
• Similar error: https://stackoverflow.com/questions/16258520/saml2-0-assertion-decrypt
• Pysaml2 save things in memory or file. Maybe we need to save interactions in a database
• About Assertions signed https://pysaml2.readthedocs.io/en/latest/howto/config.html?highlight=assertions#want-assertions-or-response-signed
• Our related PRs
  • https://github.com/GSA/ckanext-saml2/pull/12
  • https://github.com/GSA/pysaml2/pull/6 feature/ci-login-gov is ours

[avdata99]

Notes:

Oustanding certs are empty https://github.com/GSA/pysaml2/blob/datagov/v4.9.0/src/saml2/s2repoze/plugins/sp.py#L117-L120

So we don't get any keys to decrypt https://github.com/GSA/pysaml2/blob/datagov/v4.9.0/src/saml2/entity.py#L1170-L1171

[avdata99]

Here was added the encrypted certificates: https://github.com/IdentityPython/pysaml2/commit/2e1bbc861bc76229f68e1227a012df247baabb90

[avdata99]

IDPs are empty so we get as misconfiguration error

[ghost]

This is blocked by #541

[avdata99]

Encryption for assertions are enabled in all environment and working

[adborden]

Confirmed encrypted assertions have been enabled.