feat(jans-cedarling): update Trusted Issuers schema in the policy store

[rmarinn]

Prepare

• Read PR guidelines
• Read license information

---

Description

This PR updates the parser to handle the new Trusted Issuers and Token Entity Metadata schemas.

Target issue

The issue addressed by this PR involves users being unable to directly use policy stores exported from Agama Lab's Policy Designer.

closes #10038

Implementation Details

Updated Trusted Issuers Schema

"trusted_issuers": {
  "some_unique_id" : {
    "name": "name_of_the_trusted_issuer",
    "description": "description for the trusted issuer",
    "openid_configuration_endpoint": "https://<trusted-issuer-hostname>/.well-known/openid-configuration",
    "access_tokens": { 
      "trusted": true,
      "principlal_identifier": "jti",
      ...
    },
    "id_tokens": { ... },
    "userinfo_tokens": { ... },
    "tx_tokens": { ... },
  },
  ...
}

Updated Token Entity Metadata schema (used for: access_tokens, id_tokens, usrinfo_tokens, and tx_tokens).

{
  "token_type": {
    "user_id": "<field name in token (e.g., 'email', 'sub', 'uid', etc.) or '' if not used>",
    "role_mapping": "<field for role assignment (e.g., 'role', 'memberOf', etc.) or '' if not used>",
    "claim_mapping": {
      "mapping_target": {
        "parser": "<type of parser ('regex' or 'json')>",
        "type": "<type identifier (e.g., 'Acme::Email')>",
        "...": "Additional configurations specific to the parser"
      },
    },
  }
}

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on enhancing the security and reliability of the Cedarling application, a policy-based access control system, by introducing trusted issuer configurations, improving token validation and claim parsing, updating the policy store schema and definitions, and implementing comprehensive error handling and robustness measures.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the security and reliability of the Cedarling application, which is a policy-based access control system. The changes span across multiple files and cover various aspects of the application's security architecture, including:

1. Trusted Issuer Configuration: The code introduces the concept of "trusted issuers" and provides detailed configurations for handling access tokens, ID tokens, and user information tokens from these trusted sources. This is a crucial security feature that helps ensure the integrity of the user identities and permissions used in the access control system.

2. Token Validation and Claim Parsing: The changes include improvements to the token validation and claim parsing processes, ensuring that the application can correctly verify the authenticity and integrity of the tokens used for authentication and authorization. This includes handling missing claims, invalid signatures, and other potential security issues.

3. Policy Store Schema and Definitions: The code updates the policy store schema and definitions, which control the access to various resources and actions within the Cedarling application. The changes focus on improving the security and flexibility of the policy management system, including support for conditional policies and role-based access control.

4. Error Handling and Robustness: The code includes comprehensive tests that cover various error scenarios, such as missing claims, expired tokens, and issues with fetching the OpenID configuration and JSON Web Keys. This helps ensure that the application can gracefully handle these situations and maintain its security posture.

Overall, the changes in this pull request demonstrate a strong focus on application security, with a particular emphasis on token validation, trusted identity management, and secure policy enforcement. These improvements are crucial for maintaining the integrity and reliability of the Cedarling application, which is likely dealing with sensitive user data and access control mechanisms.

Files Changed:

1. jans-cedarling/bindings/cedarling_python/example_files/policy-store.json: This file contains the policy store configuration, including the definition of trusted issuers, policy schemas, and sample policies.
2. jans-cedarling/cedarling/src/authz/entities/mod.rs: This file includes changes related to the creation of entities, such as tokens and roles, based on the information extracted from the trusted issuers.
3. jans-cedarling/bindings/cedarling_python/example.py: The changes in this file focus on improving the handling of the policy store location and providing more robust error handling.
4. docs/cedarling/cedarling-policy-store.md: The documentation has been updated to provide more details on the trusted issuer configuration and the schema for the policy store.
5. jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs: This file contains the implementation of custom deserialization logic for the ClaimMapping enum, which is used to handle different types of claim mappings.
6. jans-cedarling/cedarling/src/common/policy_store.rs: The changes in this file are focused on enhancing the handling of trusted issuers and token metadata.
7. jans-cedarling/cedarling/src/common/policy_store/test.rs: This file includes tests to ensure the robustness of the PolicyStore deserialization process.
8. jans-cedarling/cedarling/src/common/policy_store/token_entity_metadata.rs: This file defines the metadata structures for handling access tokens and other token-related information.
9. jans-cedarling/cedarling/src/jwt/test/with_validation/access_token.rs: The tests in this file focus on the validation of access tokens.
10. jans-cedarling/cedarling/src/jwt/test/with_validation.rs: This file contains tests for the JWT validation functionality, including the handling of different token types.
11. jans-cedarling/cedarling/src/init/service_config.rs: The changes in this file are related to the initialization of the ServiceConfig struct, which manages the trusted issuers and OpenID configurations.
12. jans-cedarling/cedarling/src/jwt/test/with_validation/id_token.rs: This file includes tests for the validation of ID tokens.
13. jans-cedarling/cedarling/src/jwt/test/with_validation/userinfo_token.rs: The tests in this file focus on the validation of userinfo tokens.
14. `

Code Analysis

We ran 9 analyzers against 21 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[duttarnab]

Looks good to me. We need to ensure all test cases run with the Trusted Issuers schema changes.

[djellemah]

Looks fine to me.

My only question is this: will the identity_source to trusted_issuers rename prevent the import of a policy file exported by Policy Designer?

If so, will Policy Designer export be updated?

[olehbozhok]

Looks fine to me.

My only question is this: will the identity_source to trusted_issuers rename prevent the import of a policy file exported by Policy Designer?

If so, will Policy Designer export be updated?

Update was made to support last structure in the wiki

[olehbozhok]

Looks OK to me

[djellemah]

Approving on the basis that Policy Designer will now output trusted_issuers instead of identity_source