Giter Club home page Giter Club logo

poc-dsr-pep's Introduction

Device Security Rating Policy Enforcement Point

Note
 This software is a proof of concept and is not intended for production use. It will not be maintained or receive updates. Concepts from this project will be used in gematik specifications to standardize Zero Trust in Telematics Infrastructure. Developers are encouraged to use the implementation ideas in their own software.

DSR PEP is a component that enforces the security policies defined by the DSR PDP (Open Policy Engine). It is a HTTP server that listens for incoming requests and forwards them to the OPA for evaluation. The OPA returns the decision and the PEP enforces it. PEP performs the following tasks:

  • Verifies the device token

  • Verifies the device token binding

  • Creates OPA Policy Input from the request

  • Asks opa for the decision

  • Enforces the decision by returning either 200 or 403

At the moment we support the NGINX authentication sub-requests. In the future we plan to support other gateways as well.

Configuration

The PEP is configured via the config file named pep-config.yaml located in the current working directory. Additionally we support /etc/pep/pep-config.yaml as a location, but the samples below use the workdir as default. When used in docker, the config file is expected to be mounted into the container at /app/pep-config.yaml or /etc/pep/pep-config.yaml.

Some additional files must be provided as well, especially the OPA configuration file as well as all neccessary certificates and keys.

Key Description

address

Address where PEP Server will listen for incoming requests in host:port format. host can be omitted in order to listen on all interfaces.

device_verify_jwks_path

Path to the JWKS used for verifying the device token.

embedded_opa

Configuration for running OPA in embedded mode.

embedded_opa.config_path

Path to the OPA configuration file. Used only when running OPA in embedded mode.

embedded_opa.simulation_config_path

Path to the OPA simulation configuration file. Used only when running OPA in embedded mode.

profiles

List of security profiles. See Security Profiles for more information.

For docker / docker compose compatible configuration, please refer to pep-config.yaml.

Security Profiles

PEP supports configuration of multiple security profiles. Each profile defines the minimum security requirements for different parts of the application. In the security profile, you can configure the following:

  • name - name of the profile

  • require_device_token - if set to true, the device token is required for all requests. If set to false, the device token is not required and only the session token is used.

  • device_token_binding_method - method used for binding the device token to the client. Possible values are x5t, jkt and none. If none is used, the device token is not bound and is just a bearer token.

  • session_token_binding_method - method used for binding the session token to the client. Possible values are x5t, jkt and none. If none is used, the session token is not bound and is just a bearer token.

Sample config file

# This is the configuration file for the PEP.

# Address where PEP Server will listen for incoming requests
address: :8282
device_verify_jwks_path: ./e2e-tests/secrets/device-verify-jwks.json
# in case we run embedded opa, we use following config
embedded_opa:
  config_path: opa-config.yaml
  simulation_config_path: opa-simulation-config.yaml

# security profiles tune the minimum security requirements for different parts of the application
profiles:
  # strict profile requires zero trust device token and enforces token binding
  - name: strict
    # x5t, jkt, none
    device_token_binding_method: x5t
    require_device_token: true
    session_token_binding_method: x5t
  # lax profile requires only session token
  - name: lax
    # x5t, jkt, none
    device_token_binding_method: none
    require_device_token: false
    session_token_binding_method: none

Running local E2E tests

Start docker compose containers
cd e2e-tests
docker-compose down --remove-orphans
docker-compose up --build -d

Once all containers are up and running, you can run the tests:

Run tests
# will return 403 with error saying that X-Message header does not have expected value
curl http://localhost:8080/api
# let's give it the right value and receive 200
curl -H "X-Message: Hello World" http://localhost:8080/api

Running PEP locally in developer mode

Start docker compose containers
# fromn the project root directory
# it will only start the sample OPA bundle server
docker-compose down --remove-orphans
docker-compose up --build -d
Start PEP server
# from the project root directory
go run ./cmd/dsr-pep server

Once the PEP server is running, you can test it:

Run tests
# will return 403 with error saying that X-Message header does not have expected value
# please note the header X-Pdp-Decision. It is set by the PEP and contains the decision returned by the PDP
curl -v http://localhost:8282/lax/auth_request/sample/verdict
# Let's give it the right value and receive 200
curl -v -H "X-Message: Hello World" http://localhost:8282/lax/auth_request/sample/verdict

poc-dsr-pep's People

Contributors

gematik-entwicklung avatar rstaeber avatar spilikin avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.