This issue was automatically created by Allstar.

Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/CZERTAINLY/CZERTAINLY-Auth/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

This issue was automatically created by Allstar.

Security Policy Violation
Did not find any owners of this repository
This policy requires all repositories to have a user or team assigned as an administrator. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access.
(For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Currently we have the following options working with users that are authenticated using external identity provider:
AUTH_CREATE_UNKNOWN_USERS - Unknown user with username specified in JSON authentication token will be created
AUTH_CREATE_UNKNOWN_ROLES - Unknown role with name specified in JSON authentication token will be created and assigned to user

When user or role is created, they are not changed when there is some change in external identity provider which cause that the user data is not synchronized. A typical situation is when there is a change of roles for the user. Such change will not be currently reflected in CZERTAINLY.

We can implement new configuration property SYNC_POLICY that can be configured as follows:

• create-only - this will create users and roles as currently implement, and will be default option
• sync-data - this will assume that external identity provider has always current data and the data will be synchronized with the user data and roles in CZERTAINLY every login

When the desired behaviour is to keep the user data synchronized with the configuration of the external identity provider, it can be enabled by using the SYNC_POLICY=sync

Implement better general exceptions handling - improve ExceptionMiddleware

• unify exceptions handling, add base exception to have common response DTO
• different exception response based on environment (hide details in Production)
• add exception handling in existing code, raise corresponding exceptions

Create Authorization microservice where will be further implemented access control logic. Application should contain basic skeleton with implementation of individual app layers and Auth service DB model

Requirements:

• GitHub repository
• .NET 6 Web API application
• DB model entities with migration

Add trusted certificate passed as secret to be added as trusted during build/deployment. That will allow successfully fully validate certificate used for authentication.

Related PRs:
CZERTAINLY/CZERTAINLY-Core#127
CZERTAINLY/CZERTAINLY-EJBCA-NG-Connector#24

Create pipeline with automatic build and deploy Auth service to Kubernetes of same standards as other Czertainly platform services.

Implement endpoints that are integrated with getting and editing permissions of roles.

Requirements:

• retrieve all resources and their actions
• design DTOs to communicate with Core regarding permissions
• add endpoint to update permissions of role (incremental or replacement of all permissions with new ones)
• add endpoint to retrieve role and user permissions

Implement OIDC token authentication type of user as an alternative to client certificate.
Authentication with token should work as following:

• decode and parse token payload
• if user with username specified in token data does not exist, create new one
• if roles specified in token data does not exist, do not create new one
• assign existing roles from token data to user
• if no token or certificate is present or certificate does not have user assigned, throw 401

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• Update all non-major dependencies (Microsoft.EntityFrameworkCore, Microsoft.EntityFrameworkCore.SqlServer, Microsoft.EntityFrameworkCore.Tools, NLog.Extensions.Logging, NLog.Web.AspNetCore, Swashbuckle.AspNetCore, sigstore/cosign-installer)

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Implement resource sync endpoint to sync all resources and their actions used in Core service.
These information is then used to assign permissions only for existing resources and actions.

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch develop

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Describe the bug
User roles are only added but not removed, when user loses role.

To Reproduce

1. login into CZERTAINLY and make note of roles of an user
2. logout from CZERTAINLY
3. login into Keycloak
4. locate user, add some other value to groups, for example test
5. login into CZERTAINLY and check roles of that user, you should see that test was adddes
6. logout from CZERTAINLY and in Keycloak remove test group
7. login into CZERTAINLY and check roles of test user, you should see that test is still there

Expected behavior
I expect that when I remove group from user in Keycloak it is also removed in CZERTAINLY.

Screenshots

Keycloak screen showing that admin doesn't have test role

CZERTAINLY showing that admin user have both roles superadmin, test

Additional context
I'm running CZERTAINLY 2.11 and Keycloak 21

Change initial seeding of Auth service DB. Necessary system roles/users and migrated roles/users will be seeded from Core service.

Seeding of Auth service needs to be removed. To allow creation of system roles/users and set permissions of system roles, DTOs used for creation needs to be updated with corresponding properties.

Requirements:

• Implement authentication of user based on certificate sent with request
• Merge user permissions from permissions of roles he has assigned
• Response with complete user profile - user information, its roles and merged permissions

Add endpoints to Auth service that can retrieve permissions of user.

Requirements:

• get all resources and its actions
• get allowed resources for specified action/s
• get allowed actions for specific resource/s
• allow specifying object UUID for above mentioned get operations for allowed resources/actions