Skip to content

LG-12240: Log matched policy OIDs #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jc-gsa merged 8 commits into from
Mar 15, 2024
Merged

LG-12240: Log matched policy OIDs #437

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
cb9c077
Add matched_policy_oids
jc-gsa Mar 8, 2024
c1ee4a6
Update controller
jc-gsa Mar 8, 2024
0f8b696
Update spec
jc-gsa Mar 8, 2024
61e21a2
Change payload format of matched_policy_oids
Mar 13, 2024
7e114a1
Reverse prior commit
Mar 13, 2024
c8c2fa7
Add hash payload for matched_policy_oids
Mar 13, 2024
b58e6d1
Change code style
Mar 14, 2024
84665dc
Merge branch 'main' into LG-12240-log-matched-policy-oids
jc-gsa Mar 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions app/controllers/identify_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,9 @@ def log_certificate(cert)
}

attributes.delete(:issuer) if validation_result == 'self-signed cert'
if valid
attributes[:matched_policy_oids] = cert.matched_policy_oids.map { |oid| [oid, true] }.to_h
end

# Log certificate if it fails either OpenSSL validation, but passes our current validation or vice versa
if valid != login_certs_openssl_result[:valid] || valid != ficam_certs_openssl_result[:valid]
Expand Down
2 changes: 1 addition & 1 deletion app/models/certificate.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ def initialize(x509_cert)
def_delegators :x509_cert, :not_before, :not_after, :subject, :issuer, :verify,
:public_key, :serial, :to_text

def_delegators :@cert_policies, :allowed_by_policy?, :critical_policies_recognized?
def_delegators :@cert_policies, :allowed_by_policy?, :critical_policies_recognized?, :matched_policy_oids

def trusted_root?
CertificateStore.trusted_ca_root_identifiers.include?(key_id)
Expand Down
6 changes: 5 additions & 1 deletion app/policies/certificate_policies.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,14 @@ def allowed_by_policy?
# otherwise, we want to allow it for now, but log the cert so we can see what policies are
# coming up
# This policy check is only on the leaf certificate - not used by CAs
matched_policy_oids.any?
end

def matched_policy_oids
mapping = PolicyMappingService.new(@certificate).call
expected_policies = required_policies
cert_policies = policies.map { |policy| mapping[policy] }
(cert_policies & expected_policies).any?
(cert_policies & expected_policies)
end

def policies
Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/identify_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,11 +158,11 @@
openssl_errors: 'error 20 at 0 depth lookup: unable to get local issuer certificate',
ficam_openssl_valid: false,
ficam_openssl_errors: 'error 20 at 0 depth lookup: unable to get local issuer certificate',
matched_policy_oids: { '2.16.840.1.101.2.1.11.9' => true },
}.to_json).once

@request.headers['X-Client-Cert'] = CGI.escape(client_cert_pem)


get :create, params: { nonce: '123', redirect_uri: 'http://example.com/' }
expect(response).to have_http_status(:found)
expect(response.has_header?('Location')).to be_truthy
Expand Down