Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add client attestation mgt to Framework #5126

Merged
merged 7 commits into from
Nov 8, 2023
Merged

Add client attestation mgt to Framework #5126

merged 7 commits into from
Nov 8, 2023

Conversation

Thumimku
Copy link
Contributor

@Thumimku Thumimku commented Nov 1, 2023

Proposed changes in this pull request

Issue: wso2/product-is#16836

Implementation

Add ClientAttestationMetaData to Service provider. This class represents the metadata related to client attestation.
These meta data stored in Service provider properties apart from the service now credential to access Google Play Integrity API.
The credential stored in Secret management Component as ANDROID_ATTESTATION_CREDENTIALS.

The ClientAttestationServiceImpl class implements the ClientAttestationService interface and is responsible for validating client attestation. It ensures the authenticity and context of the client when API-based authentication is requested.
The class provides the following functionalities:

  1. Validation of attestation data, which can be specific to an Android client.
  2. Checks whether API-based authentication is enabled for the client application.
  3. Determines whether the client application is subscribed to client attestation validation.
  4. Validates attestation objects provided by the client application.
  5. Retrieves the service provider's configuration for client attestation.

The AndroidAttestationValidator class is responsible for validating client attestation for Android clients. It ensures the authenticity and integrity of the client's attestation data, which is typically provided in the form of an integrity token.
The class provides the following functionalities:

  1. Decoding and verifying the authenticity of the provided integrity token using the Google Play Integrity API.
  2. Validating the overall integrity of the client's request, including request details and application integrity.
  3. Checking if the application is recognized as "PLAY_RECOGNIZED" by the Google Play Integrity API.

@Thumimku Thumimku force-pushed the client-attestation-mgt branch from 4c7e9ce to 937246f Compare November 2, 2023 06:34
@Thumimku Thumimku mentioned this pull request Nov 3, 2023
Merged
@Thumimku Thumimku force-pushed the client-attestation-mgt branch 2 times, most recently from 0ef5920 to 9a3edb4 Compare November 3, 2023 04:42
@Thumimku Thumimku force-pushed the client-attestation-mgt branch 5 times, most recently from 703df1e to 904d3ed Compare November 6, 2023 12:54
@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6771840455

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6771840455
Status: failure

janakamarasena
janakamarasena reviewed Nov 7, 2023
View reviewed changes
...a/org/wso2/carbon/identity/client/attestation/mgt/validators/ClientAttestationValidator.java Outdated
/**
* This method indicates which client Attestation validation type, it can handle.
*
* @return OS name.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment on return should be updated.

janakamarasena
janakamarasena reviewed Nov 7, 2023
View reviewed changes
.../org/wso2/carbon/identity/client/attestation/mgt/validators/AndroidAttestationValidator.java
Comment on lines +236 to +240
LOG.error("Error while parsing attestation allowed window timeout config: " + allowedWindow, e);
clientAttestationContext.setAttested(false);
clientAttestationContext.setValidationFailureMessage("Error while parsing attestation allowed window " +
"timeout config. Probably a misconfiguration, hence rejecting the request.");
return false;
Copy link
Member

@janakamarasena janakamarasena Nov 7, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets fallback to a hardcoded default(along with error log) or throw the exception out and break the flow.

janakamarasena
janakamarasena reviewed Nov 7, 2023
View reviewed changes
...o2/carbon/identity/client/attestation/mgt/internal/ClientAttestationMgtServiceComponent.java
* OSGi declarative services component which handled registration and un-registration of
* ClientAttestationMgtServiceComponent.
*/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove empty line

janakamarasena
janakamarasena previously approved these changes Nov 7, 2023
View reviewed changes
@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6780864300

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6780864300
Status: failure

@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6783453443

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6783453443
Status: failure

@Thumimku Thumimku force-pushed the client-attestation-mgt branch from 433a483 to 51cbff7 Compare November 7, 2023 16:48
@jenkins-is-staging
Copy link

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/6787701078

@jenkins-is-staging
Copy link

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/6787701078
Status: success

jenkins-is-staging
jenkins-is-staging approved these changes Nov 7, 2023
View reviewed changes
Copy link

@jenkins-is-staging jenkins-is-staging left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/6787701078

@Thumimku Thumimku merged commit 17e579e into wso2:master Nov 8, 2023
1 check passed
@Thumimku Thumimku mentioned this pull request Nov 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenkins-is-staging jenkins-is-staging jenkins-is-staging approved these changes

@janakamarasena janakamarasena janakamarasena approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Thumimku @jenkins-is-staging @janakamarasena