From feeb2df0822da2faf06f65fc844b519cf1e6a6f0 Mon Sep 17 00:00:00 2001 From: shekhar16 Date: Sun, 1 Sep 2024 01:31:39 +0530 Subject: [PATCH] feat(jans-fido): changes to refactor requestedParties #9111 Signed-off-by: shekhar16 --- .../janssen-fido2-configuration.md | 6 +- docs/admin/fido/config.md | 36 +++++------ docs/admin/fido/logs.md | 6 +- .../json/properties/fido2-properties.md | 64 +++++++++---------- .../plugins/docs/fido2-plugin-swagger.yaml | 2 +- .../resources/feature/fido2/dynamiconf.json | 6 +- .../test/resources/feature/fido2/fido2.json | 6 +- .../feature/fido2/ref_dynami_conf.json | 6 +- .../fido2/model/conf/Fido2Configuration.java | 2 + .../jans/fido2/model/conf/RequestedParty.java | 22 +++---- .../service/mds/FetchMdsProviderService.java | 1 + .../service/operation/AttestationService.java | 4 +- .../templates/jans-fido2/dynamic-conf.json | 6 +- 13 files changed, 85 insertions(+), 82 deletions(-) diff --git a/docs/admin/config-guide/fido2-config/janssen-fido2-configuration.md b/docs/admin/config-guide/fido2-config/janssen-fido2-configuration.md index 494dc6ac8e2..56b2d6a07b0 100644 --- a/docs/admin/config-guide/fido2-config/janssen-fido2-configuration.md +++ b/docs/admin/config-guide/fido2-config/janssen-fido2-configuration.md @@ -99,10 +99,10 @@ It will return the result as below: "RS256", "ES256" ], - "requestedParties": [ + "rp": [ { - "name": "https://jans-project.lxd", - "domains": [ + "id": "https://jans-project.lxd", + "origins": [ "jans-project.lxd" ] } diff --git a/docs/admin/fido/config.md b/docs/admin/fido/config.md index 4f9ac920519..e00a95164b5 100644 --- a/docs/admin/fido/config.md +++ b/docs/admin/fido/config.md @@ -26,21 +26,21 @@ tags: #### Fido2Configuration structure -| Field named | Example | Description | -|-----------------------------------------|----------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| -| authenticatorCertsFolder | /etc/jans/conf/fido2/authenticator_cert | Authenticators certificates fodler. | -| mdsCertsFolder | /etc/jans/conf/fido2/mds/cert | MDS TOC root certificates folder. | -| mdsTocsFolder | /etc/jans/conf/fido2/mds/toc | MDS TOC files folder. | -| serverMetadataFolder | /etc/jans/conf/fido2/server_metadata | Authenticators metadata in json format. Example: virtual devices. | -| metadataUrlsProvider | https://mds3.fido.tools | String value to provide source of URLs with external metadata. | -| enabledFidoAlgorithms | ["RS256","ES256"] | | -| requestedParties | [{"name":"https://my-jans-server.jans.io","domains":["my-jans-server.jans.io"]}] | Requested party name. | -| debugUserAutoEnrollment | false | Allow to enroll users on enrollment/authentication requests. (Useful while running tests) | -| unfinishedRequestExpiration | 180 | Expiration time in seconds for pending enrollment/authentication requests | -| authenticationHistoryExpiration | 1296000 | Expiration time in seconds for approved authentication requests. | -| disableMetadataService | false | Boolean value indicating whether the MDS download should be omitted | -| skipValidateMdsInAttestationEnabled | false | Boolean value indicating whether MDS validation should be omitted during attestation | -| assertionOptionsGenerateEndpointEnabled | false | Boolean value indicating whether the assertion custom endpoint (used especially in passkey) is enabled. | +| Field named | Example | Description | +|-----------------------------------------|--------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| authenticatorCertsFolder | /etc/jans/conf/fido2/authenticator_cert | Authenticators certificates fodler. | +| mdsCertsFolder | /etc/jans/conf/fido2/mds/cert | MDS TOC root certificates folder. | +| mdsTocsFolder | /etc/jans/conf/fido2/mds/toc | MDS TOC files folder. | +| serverMetadataFolder | /etc/jans/conf/fido2/server_metadata | Authenticators metadata in json format. Example: virtual devices. | +| metadataUrlsProvider | https://mds3.fido.tools | String value to provide source of URLs with external metadata. | +| enabledFidoAlgorithms | ["RS256","ES256"] | | +| rp | [{"id":"https://my-jans-server.jans.io","origins":["my-jans-server.jans.io"]}] | Requested party id. | +| debugUserAutoEnrollment | false | Allow to enroll users on enrollment/authentication requests. (Useful while running tests) | +| unfinishedRequestExpiration | 180 | Expiration time in seconds for pending enrollment/authentication requests | +| authenticationHistoryExpiration | 1296000 | Expiration time in seconds for approved authentication requests. | +| disableMetadataService | false | Boolean value indicating whether the MDS download should be omitted | +| skipValidateMdsInAttestationEnabled | false | Boolean value indicating whether MDS validation should be omitted during attestation | +| assertionOptionsGenerateEndpointEnabled | false | Boolean value indicating whether the assertion custom endpoint (used especially in passkey) is enabled. | ### Configuring the FIDO2 server: #### 1. Read Configuration parameters: @@ -87,10 +87,10 @@ Response: "RS256", "ES256" ], - "requestedParties": [ + "rp": [ { - "name": "https://my.jans.server", - "domains": [ + "id": "https://my.jans.server", + "origins": [ "my.jans.server" ] } diff --git a/docs/admin/fido/logs.md b/docs/admin/fido/logs.md index d24618f9c42..c5df6dfc47f 100644 --- a/docs/admin/fido/logs.md +++ b/docs/admin/fido/logs.md @@ -45,10 +45,10 @@ Response: "RS256", "ES256" ], - "requestedParties":[ + "rp":[ { - "name":"https://my-jans-server.jans.io", - "domains":[ + "id":"https://my-jans-server.jans.io", + "origins":[ "my-jans-server.jans.io" ] } diff --git a/docs/admin/reference/json/properties/fido2-properties.md b/docs/admin/reference/json/properties/fido2-properties.md index 0e65978ab3c..f0e7ddb21f9 100644 --- a/docs/admin/reference/json/properties/fido2-properties.md +++ b/docs/admin/reference/json/properties/fido2-properties.md @@ -8,36 +8,36 @@ tags: # Fido2 Configuration Properties -| Property Name | Description | | -|-----|-----|-----| -| authenticationHistoryExpiration | Expiration time in seconds for approved authentication requests | [Details](#authenticationhistoryexpiration) | -| authenticatorCertsFolder | Authenticators certificates folder | [Details](#authenticatorcertsfolder) | -| baseEndpoint | The base URL for Fido2 endpoints | [Details](#baseendpoint) | -| checkU2fAttestations | Boolean value indicating if U2f attestation needs to be checked | [Details](#checku2fattestations) | -| cleanServiceBatchChunkSize | Each clean up iteration fetches chunk of expired data per base dn and removes it from storage | [Details](#cleanservicebatchchunksize) | -| cleanServiceInterval | Time interval for the Clean Service in seconds | [Details](#cleanserviceinterval) | -| disableJdkLogger | Boolean value specifying whether to enable JDK Loggers | [Details](#disablejdklogger) | -| externalLoggerConfiguration | Path to external Fido2 logging configuration | [Details](#externalloggerconfiguration) | -| issuer | URL using the https scheme for Issuer identifier | [Details](#issuer) | -| loggingLayout | Logging layout used for Fido2 | [Details](#logginglayout) | -| loggingLevel | Logging level for Fido2 logger | [Details](#logginglevel) | -| mdsAccessToken | MDS access token | [Details](#mdsaccesstoken) | -| mdsCertsFolder | MDS TOC root certificates folder | [Details](#mdscertsfolder) | -| mdsTocsFolder | MDS TOC files folder | [Details](#mdstocsfolder) | -| metadataUrlsProvider | String value to provide source of URLs with external metadata | [Details](#metadataurlsprovider) | -| metricReporterEnabled | Boolean value specifying whether metric reporter is enabled | [Details](#metricreporterenabled) | -| metricReporterInterval | The interval for metric reporter in seconds | [Details](#metricreporterinterval) | -| metricReporterKeepDataDays | The days to keep report data | [Details](#metricreporterkeepdatadays) | -| oldU2fMigrationEnabled | Boolean value to enable disable old oxAuth U2F enrollments migration | [Details](#oldu2fmigrationenabled) | -| personCustomObjectClassList | Custom object class list for dynamic person enrolment | [Details](#personcustomobjectclasslist) | -| enabledFidoAlgorithms | List of Requested Credential Types | [Details](#enabledFidoAlgorithms) | -| requestedParties | Authenticators metadata in json format | [Details](#requestedparties) | -| serverMetadataFolder | Authenticators metadata in json format | [Details](#servermetadatafolder) | -| sessionIdPersistInCache | Boolean value specifying whether to persist session_id in cache | [Details](#sessionidpersistincache) | -| superGluuEnabled | Boolean value to enable disable Super Gluu extension | [Details](#supergluuenabled) | -| unfinishedRequestExpiration | Expiration time in seconds for pending enrollment/authentication requests | [Details](#unfinishedrequestexpiration) | -| useLocalCache | Boolean value to indicate if Local Cache is to be used | [Details](#uselocalcache) | -| debugUserAutoEnrollment | Allow to enroll users on enrollment/authentication requests | [Details](#userautoenrollment) | +| Property Name | Description | | +|---------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------------------| +| authenticationHistoryExpiration | Expiration time in seconds for approved authentication requests | [Details](#authenticationhistoryexpiration) | +| authenticatorCertsFolder | Authenticators certificates folder | [Details](#authenticatorcertsfolder) | +| baseEndpoint | The base URL for Fido2 endpoints | [Details](#baseendpoint) | +| checkU2fAttestations | Boolean value indicating if U2f attestation needs to be checked | [Details](#checku2fattestations) | +| cleanServiceBatchChunkSize | Each clean up iteration fetches chunk of expired data per base dn and removes it from storage | [Details](#cleanservicebatchchunksize) | +| cleanServiceInterval | Time interval for the Clean Service in seconds | [Details](#cleanserviceinterval) | +| disableJdkLogger | Boolean value specifying whether to enable JDK Loggers | [Details](#disablejdklogger) | +| externalLoggerConfiguration | Path to external Fido2 logging configuration | [Details](#externalloggerconfiguration) | +| issuer | URL using the https scheme for Issuer identifier | [Details](#issuer) | +| loggingLayout | Logging layout used for Fido2 | [Details](#logginglayout) | +| loggingLevel | Logging level for Fido2 logger | [Details](#logginglevel) | +| mdsAccessToken | MDS access token | [Details](#mdsaccesstoken) | +| mdsCertsFolder | MDS TOC root certificates folder | [Details](#mdscertsfolder) | +| mdsTocsFolder | MDS TOC files folder | [Details](#mdstocsfolder) | +| metadataUrlsProvider | String value to provide source of URLs with external metadata | [Details](#metadataurlsprovider) | +| metricReporterEnabled | Boolean value specifying whether metric reporter is enabled | [Details](#metricreporterenabled) | +| metricReporterInterval | The interval for metric reporter in seconds | [Details](#metricreporterinterval) | +| metricReporterKeepDataDays | The days to keep report data | [Details](#metricreporterkeepdatadays) | +| oldU2fMigrationEnabled | Boolean value to enable disable old oxAuth U2F enrollments migration | [Details](#oldu2fmigrationenabled) | +| personCustomObjectClassList | Custom object class list for dynamic person enrolment | [Details](#personcustomobjectclasslist) | +| enabledFidoAlgorithms | List of Requested Credential Types | [Details](#enabledFidoAlgorithms) | +| rp | Requested Parties Authenticators metadata in json format | [Details](#rp) | +| serverMetadataFolder | Authenticators metadata in json format | [Details](#servermetadatafolder) | +| sessionIdPersistInCache | Boolean value specifying whether to persist session_id in cache | [Details](#sessionidpersistincache) | +| superGluuEnabled | Boolean value to enable disable Super Gluu extension | [Details](#supergluuenabled) | +| unfinishedRequestExpiration | Expiration time in seconds for pending enrollment/authentication requests | [Details](#unfinishedrequestexpiration) | +| useLocalCache | Boolean value to indicate if Local Cache is to be used | [Details](#uselocalcache) | +| debugUserAutoEnrollment | Allow to enroll users on enrollment/authentication requests | [Details](#userautoenrollment) | ### authenticationHistoryExpiration @@ -229,9 +229,9 @@ tags: - Default value: None -### requestedParties +### rp -- Description: Authenticators metadata in json format +- Description: Requested Parties Authenticators metadata in json format - Required: No diff --git a/jans-config-api/plugins/docs/fido2-plugin-swagger.yaml b/jans-config-api/plugins/docs/fido2-plugin-swagger.yaml index 8e390bc22fd..f4bcd99231c 100644 --- a/jans-config-api/plugins/docs/fido2-plugin-swagger.yaml +++ b/jans-config-api/plugins/docs/fido2-plugin-swagger.yaml @@ -166,7 +166,7 @@ components: type: array items: type: string - requestedParties: + rp: type: array items: $ref: '#/components/schemas/RequestedParty' diff --git a/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/dynamiconf.json b/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/dynamiconf.json index 6672ad0a286..201609ab463 100644 --- a/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/dynamiconf.json +++ b/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/dynamiconf.json @@ -17,10 +17,10 @@ ], "fido2Configuration": { "serverMetadataFolder": "/etc/gluu/conf/fido2/server_metadata", - "requestedParties": [ + "rp": [ { - "name": "https://pujavs4.2.gluu.server", - "domains": [ + "id": "https://pujavs4.2.gluu.server", + "origins": [ "pujavs4.2.gluu.server" ] } diff --git a/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/fido2.json b/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/fido2.json index 19b2f72433b..84a2a915cc8 100644 --- a/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/fido2.json +++ b/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/fido2.json @@ -1,10 +1,10 @@ { "serverMetadataFolder": "/etc/gluu/conf/fido2/server_metadata", "authenticationHistoryExpiration": 1296000, - "requestedParties": [ + "rp": [ { - "name": "https://pujavs3.infinity.com", - "domains": [ + "id": "https://pujavs3.infinity.com", + "origins": [ "pujavs3.infinity.com" ] } diff --git a/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/ref_dynami_conf.json b/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/ref_dynami_conf.json index d2b3c8a303f..e9cf90d840b 100644 --- a/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/ref_dynami_conf.json +++ b/jans-config-api/plugins/fido2-plugin/src/test/resources/feature/fido2/ref_dynami_conf.json @@ -28,10 +28,10 @@ "RS256", "ES256" ], - "requestedParties":[ + "rp":[ { - "name":"https://u184.gluu.info", - "domains":[ + "id":"https://u184.gluu.info", + "origins":[ "u184.gluu.info" ] } diff --git a/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java b/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java index 8e9ce9f9a6e..57f69474faa 100644 --- a/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java +++ b/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java @@ -10,6 +10,7 @@ import java.util.List; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; import io.jans.doc.annotation.DocProperty; /** @@ -43,6 +44,7 @@ public class Fido2Configuration { @DocProperty(description = "List of Requested Credential Types") private List enabledFidoAlgorithms = new ArrayList(); @DocProperty(description = "Authenticators metadata in json format") + @JsonProperty(value = "rp") private List requestedParties = new ArrayList(); @DocProperty(description = "String value to provide source of URLs with external metadata") diff --git a/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/RequestedParty.java b/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/RequestedParty.java index b444afb4b66..ec0da0c306e 100644 --- a/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/RequestedParty.java +++ b/jans-fido2/model/src/main/java/io/jans/fido2/model/conf/RequestedParty.java @@ -19,24 +19,24 @@ @JsonIgnoreProperties(ignoreUnknown = true) public class RequestedParty { - private String name; + private String id; - private List domains = new ArrayList(); + private List origins = new ArrayList(); - public String getName() { - return name; - } - public void setName(String name) { - this.name = name; + public String getId() { + return id; } - public List getDomains() { - return domains; + public void setId(String id) { + this.id = id; } - public void setDomains(List domains) { - this.domains = domains; + public List getOrigins() { + return origins; } + public void setOrigins(List origins) { + this.origins = origins; + } } diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/FetchMdsProviderService.java b/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/FetchMdsProviderService.java index cc43b870356..1edf578a691 100644 --- a/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/FetchMdsProviderService.java +++ b/jans-fido2/server/src/main/java/io/jans/fido2/service/mds/FetchMdsProviderService.java @@ -42,6 +42,7 @@ public String fetchMdsV3Endpoints(String endpoint) throws MdsClientException { throw new MdsClientException(String.format("Error getting endpoints from mds test, status: %s, errorMessage: '%s'", response.getStatus(), response.getStatusInfo().getReasonPhrase())); } String responseBody = response.readEntity(String.class); + log.debug("Fetch mds getEndpoints response, body: {}", responseBody); return responseBody; } finally { client.close(); diff --git a/jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AttestationService.java b/jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AttestationService.java index 46224637f6f..0a820fdaae3 100644 --- a/jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AttestationService.java +++ b/jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AttestationService.java @@ -425,10 +425,10 @@ private RelyingParty createRpDomain(String documentDomain) { return RelyingParty.createRelyingParty(documentDomain, appConfiguration.getIssuer()); } else { for (RequestedParty requestedParty : requestedParties) { - for (String domain : requestedParty.getDomains()) { + for (String domain : requestedParty.getOrigins()) { if (StringHelper.equalsIgnoreCase(documentDomain, domain)) { // Add entry for supported RP - return RelyingParty.createRelyingParty(documentDomain, requestedParty.getName()); + return RelyingParty.createRelyingParty(documentDomain, requestedParty.getId()); } } } diff --git a/jans-linux-setup/jans_setup/templates/jans-fido2/dynamic-conf.json b/jans-linux-setup/jans_setup/templates/jans-fido2/dynamic-conf.json index 91f322e9be0..30d54c8f246 100644 --- a/jans-linux-setup/jans_setup/templates/jans-fido2/dynamic-conf.json +++ b/jans-linux-setup/jans_setup/templates/jans-fido2/dynamic-conf.json @@ -28,10 +28,10 @@ "RS256", "ES256" ], - "requestedParties":[ + "rp":[ { - "name":"https://%(hostname)s", - "domains":[ + "id":"https://%(hostname)s", + "origins":[ "%(hostname)s" ] }