feat(jans-cedarling): implement new bootstrap configs for JWT validation

[rmarinn]

Prepare

• Read PR guidelines
• Read license information

---

Description

This PR adds the implementation of the new bootstrap config items onto the JwtService.

Target issue

target issue #10142

closes #10142

Implementation Details

The JwtService now has implementations to handle the following bootstrap configs:

• CEDARLING_AT_ISS_VALIDATION: When enabled, the iss claim must be present in access token and the scheme must be https.
• CEDARLING_AT_JTI_VALIDATION: When enabled, the jti claim must be present in access token.
• CEDARLING_AT_NBF_VALIDATION When enabled, the nbf claim must be present in access token and the Cedarling should verify that the current date is after the nbf.
• CEDARLING_AT_EXP_VALIDATION When enabled, the exp claim must be present and not past the date specified.
• CEDARLING_IDT_ISS_VALIDATION When enabled, the iss claim must be present in id_token and the scheme must be https.
• CEDARLING_IDT_SUB_VALIDATION When enabled, the sub claim must be present in id_token.
• CEDARLING_IDT_EXP_VALIDATION When enabled, the exp claim must be present and not past the date specified.
• CEDARLING_IDT_IAT_VALIDATION When enabled, the iat claim must be present in id_token.
• CEDARLING_IDT_AUD_VALIDATION When enabled, the aud claim must be present in id_token.
• CEDARLING_USERINFO_ISS_VALIDATION When enabled, the iss claim must be present and the scheme must be https.
• CEDARLING_USERINFO_SUB_VALIDATION When enabled, the sub claim must be present in Userinfo JWT.
• CEDARLING_USERINFO_AUD_VALIDATION When enabled, the aud claim must be present in Userinfo JWT.
• CEDARLING_USERINFO_EXP_VALIDATION When enabled, the exp claim must be present and not past the date specified.
• CEDARLING_ID_TOKEN_TRUST_MODE Strict | None. Varying levels of validations based on the preference of the developer. Strict mode requires (1) id_token's aud matches the access_token's client_id; (2) if a Userinfo token is present, the sub matches the id_token, and that the aud matches the access token client_id.

A refactor was done with the JwtService's internals but it's usage is unchanged.

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on enhancing the security and reliability of the Cedarling application, with updates to JWT validation, authorization configuration, logging and monitoring, error handling, and secure coding practices.

Expand for full summary

Summary:

The provided code changes cover a variety of updates and improvements across the Cedarling application, with a strong focus on enhancing the security and reliability of the application's core functionality. The changes include:

1. JWT Validation and Configuration: The code introduces more granular control over JWT validation, including options for using a local JWKS, enabling/disabling signature and status validation, and configuring validation rules for different token types (access, ID, userinfo). This helps improve the overall security of the JWT handling in the application.

2. Authorization Configuration and Policy Management: The changes include updates to the BootstrapConfig and AuthorizationConfig, allowing for better control over authorization policies and the integration with a policy store, either from a remote location or a local file.

3. Logging and Monitoring: The code adds more flexibility in the logging configuration, including the ability to send logs to a "Lock" server, which can aid in security monitoring and incident investigation.

4. Error Handling and Testing: The changes demonstrate a focus on improving error handling and testing, which are crucial for maintaining a secure and reliable application.

5. Dependency Management and Secure Coding Practices: The updates show a commitment to using secure coding practices, such as proper input validation, sanitization, and the use of well-established libraries like reqwest for HTTP client functionality.

Overall, the code changes in this pull request appear to be focused on enhancing the security and reliability of the Cedarling application, with a particular emphasis on the handling of authentication, authorization, and logging functionality. These improvements are essential for maintaining the security posture of the application and protecting it from potential vulnerabilities.

Files Changed:

1. jans-cedarling/bindings/cedarling_python/src/config/bootstrap_config.rs: Updates to the BootstrapConfig struct, including changes to the TrustMode enum and the renaming of NewBootstrapConfig to BootstrapConfig.
2. jans-cedarling/bindings/cedarling_python/src/authorize/errors.rs: Introduction of a new ProcessTokens error type to the AuthorizeError enum.
3. jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md: Update to the example configuration, changing the instantiation of BootstrapConfig from NewBootstrapConfig to BootstrapConfig.
4. docs/cedarling/cedarling-properties.md: Provides information about the local JSON Web Key Store (JWKS) configuration for the Cedarling application.
5. jans-cedarling/bindings/cedarling_python/src/config/mod.rs: Removal of the jwt_config module from the register_entities function.
6. jans-cedarling/cedarling/Cargo.toml: Addition of the time crate with the wasm-bindgen feature.
7. jans-cedarling/cedarling/examples/authorize_without_jwt_validation.rs: Change in the JwtConfig from JwtConfig::Disabled to JwtConfig::new_without_validation().
8. jans-cedarling/cedarling/examples/log_init.rs: Change in the JwtConfig from JwtConfig::Disabled to JwtConfig::new_without_validation().
9. jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs: Detailed configuration of the JwtConfig for access tokens, ID tokens, and userinfo tokens.
10. jans-cedarling/cedarling/src/authz/authorize_result.rs: Implementation of the is_allowed() method in the AuthorizeResult struct.
11. jans-cedarling/cedarling/src/authz/entities/mod.rs: Renaming of DecodeTokensResult to ProcessTokensResult and handling of role mapping field in token data.
12. jans-cedarling/cedarling/src/authz/mod.rs: Introduction of AuthzInitError and AuthorizeError error types.
13. jans-cedarling/cedarling/src/bootstrap_config/decode.rs: Comprehensive JWT configuration options and introduction of the `AuthorizationConfig

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.