Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 95 additions & 9 deletions crates/registry-notary-server/src/federation/audit.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
// SPDX-License-Identifier: Apache-2.0

use axum::response::Response;
use registry_notary_core::{AccessMode, ConfigMetadata, FEDERATION_PROTOCOL_V0_1};
use registry_notary_core::{
AccessMode, ConfigMetadata, FederationPeerConfig, FEDERATION_PROTOCOL_V0_1,
};
use registry_platform_oidc::VerifiedToken;
use time::format_description::well_known::Rfc3339;
use time::OffsetDateTime;
use ulid::Ulid;
Expand All @@ -10,11 +13,57 @@ use crate::api::evidence_claim_hash;

use super::errors::FederationProblem;

#[derive(Clone, Debug, Default)]
pub(super) struct FederationAuditContext {
pub(super) claim_ids: Vec<String>,
pub(super) scopes_used: Vec<String>,
pub(super) peer_node_id: Option<String>,
pub(super) issuer: Option<String>,
pub(super) profile: Option<String>,
pub(super) purpose: Option<String>,
pub(super) request_jti: Option<String>,
pub(super) subject_ref_hash: Option<String>,
}

impl FederationAuditContext {
pub(super) fn from_verified(peer: &FederationPeerConfig, verified: &VerifiedToken) -> Self {
Self {
scopes_used: peer.source_scopes.clone(),
peer_node_id: Some(peer.node_id.clone()),
issuer: Some(peer.issuer.clone()),
profile: verified
.claims
.extra
.get("profile")
.and_then(|value| value.as_str())
.map(str::to_string),
purpose: verified
.claims
.extra
.get("purpose")
.and_then(|value| value.as_str())
.map(str::to_string),
request_jti: verified
.claims
.extra
.get("jti")
.and_then(|value| value.as_str())
.map(str::to_string),
..Self::default()
}
}

pub(super) fn denied(&self, problem: FederationProblem) -> FederationDeniedOutcome {
FederationDeniedOutcome::with_context(problem, self.clone())
}
}

#[derive(Debug)]
pub(super) struct FederationAuditOutcome {
pub(super) decision: String,
pub(super) verification_id: Option<String>,
pub(super) claim_ids: Vec<String>,
pub(super) scopes_used: Vec<String>,
pub(super) error_code: Option<String>,
pub(super) peer_node_id: Option<String>,
pub(super) issuer: Option<String>,
Expand All @@ -26,19 +75,56 @@ pub(super) struct FederationAuditOutcome {

impl FederationAuditOutcome {
pub(super) fn denied(problem: &FederationProblem) -> Self {
Self::denied_with_context(problem, FederationAuditContext::default())
}

pub(super) fn denied_with_context(
problem: &FederationProblem,
context: FederationAuditContext,
) -> Self {
Self {
decision: "federated_evaluate_denied".to_string(),
verification_id: None,
claim_ids: Vec::new(),
claim_ids: context.claim_ids,
scopes_used: context.scopes_used,
error_code: Some(problem.code.clone()),
peer_node_id: None,
issuer: None,
profile: None,
purpose: None,
request_jti: None,
subject_ref_hash: None,
peer_node_id: context.peer_node_id,
issuer: context.issuer,
profile: context.profile,
purpose: context.purpose,
request_jti: context.request_jti,
subject_ref_hash: context.subject_ref_hash,
}
}

pub(super) fn into_denied(mut self, problem: &FederationProblem) -> Self {
self.decision = "federated_evaluate_denied".to_string();
self.error_code = Some(problem.code.clone());
self
}
}

#[derive(Debug)]
pub(super) struct FederationDeniedOutcome {
pub(super) problem: FederationProblem,
pub(super) audit: FederationAuditOutcome,
}

impl FederationDeniedOutcome {
pub(super) fn with_context(
problem: FederationProblem,
context: FederationAuditContext,
) -> Self {
let audit = FederationAuditOutcome::denied_with_context(&problem, context);
Self { problem, audit }
}
}

impl From<FederationProblem> for FederationDeniedOutcome {
fn from(problem: FederationProblem) -> Self {
let audit = FederationAuditOutcome::denied(&problem);
Self { problem, audit }
}
}

pub(super) fn federation_audit_event(
Expand All @@ -56,7 +142,7 @@ pub(super) fn federation_audit_event(
event_id: Ulid::new().to_string(),
occurred_at,
principal_id_hash: None,
scopes_used: Vec::new(),
scopes_used: audit.scopes_used,
decision: audit.decision,
method: "POST".to_string(),
path: "/federation/v1/evaluations".to_string(),
Expand Down
49 changes: 32 additions & 17 deletions crates/registry-notary-server/src/federation/claims.rs
Original file line number Diff line number Diff line change
Expand Up @@ -84,12 +84,27 @@ pub(super) fn request_subject(
verified: &VerifiedToken,
profile: &FederationEvaluationProfileConfig,
) -> Result<SubjectRequest, FederationProblem> {
let request = verified
.claims
.extra
.get("request")
.and_then(Value::as_object)
.ok_or_else(|| FederationProblem::invalid_request("request object is required"))?;
let subject = request_subject_identifier(verified, profile)?;
let request = request_object(verified)?;
let requested_claims = request
.get("claims")
.and_then(Value::as_array)
.ok_or_else(|| FederationProblem::invalid_request("request.claims is required"))?;
if requested_claims.len() != 1
|| requested_claims.first().and_then(Value::as_str) != Some(profile.claim_id.as_str())
{
return Err(FederationProblem::forbidden(
"request claims do not match profile",
));
}
Ok(subject)
}

pub(super) fn request_subject_identifier(
verified: &VerifiedToken,
profile: &FederationEvaluationProfileConfig,
) -> Result<SubjectRequest, FederationProblem> {
let request = request_object(verified)?;
let subject = request
.get("subject")
.and_then(Value::as_object)
Expand All @@ -107,23 +122,23 @@ pub(super) fn request_subject(
"subject id type is not allowed",
));
}
let requested_claims = request
.get("claims")
.and_then(Value::as_array)
.ok_or_else(|| FederationProblem::invalid_request("request.claims is required"))?;
if requested_claims.len() != 1
|| requested_claims.first().and_then(Value::as_str) != Some(profile.claim_id.as_str())
{
return Err(FederationProblem::forbidden(
"request claims do not match profile",
));
}
Ok(SubjectRequest {
id: id.to_string(),
id_type: Some(id_type.to_string()),
})
}

fn request_object(
verified: &VerifiedToken,
) -> Result<&serde_json::Map<String, Value>, FederationProblem> {
verified
.claims
.extra
.get("request")
.and_then(Value::as_object)
.ok_or_else(|| FederationProblem::invalid_request("request object is required"))
}

pub(super) fn source_observation_is_stale(
profile: &FederationEvaluationProfileConfig,
results: &[registry_notary_core::ClaimResultView],
Expand Down
Loading
Loading