altinn / altinn-auth-audit-log Goto Github PK
View Code? Open in Web Editor NEWAudit log for authentication and authorisation activities
License: MIT License
Audit log for authentication and authorisation activities
License: MIT License
This task is created to make manual test plan for end to end testing of Audit log component.
Test cases to be tested should be listed here. Test cases should cover component level testing and full flow testing. Both positive and negative tests should be listed.
**Instantiation of different apps by different users to verify logs in authentication **
**With feature toggle on and off **
**Verify logs for org and Changes made by different users on app after instantiation **
**Verify logs when Org is delegating MaskinPortenScheme and resources **
When verifying audit log it shows wrong ID for user who is logged in with TestID login method @acn-dgopa
Now the auditlog is ready to be deployed in production. Release notes draft will be created at 00:00 20.march. Publish the release notes and that will trigger the deployment to tt02 and production
The security log component will be the component responsible for adding logs to database for authorization and authentication. Setup a database for audit log with table AuthenticationEvent
As part of transistion to the new cloud platform we need to create a new Authentication log.
Do we need to log additional info like scope?
As part of the requirements, we need to define
Suggestion
Hashing of a selected set of properties together with signing the hash reduces the chance that logs have been tampered with.
https://learn.microsoft.com/en-us/dotnet/standard/security/cryptographic-signatures
Use SHA384 to Hash values.
Use RSA to sign HASH.
Do we need to support rotation of certificates. How should we know which certificates to
###Analysis
Add a readme file to the auditlog component that describes about the project and the practical guidelines.
Setup actions to build, run unit tests and analyze audit log component
Infrastructure to host the audit-log component, storage queue for the log events, function to process the queue must be tested in a development/testing environment to ensure the log workflow/dataflow from authentication/authorization components. The infrastructure can be set up in test subscription with own resource group for audit-log component.
When issue Altinn/altinn-authentication#372 is resolved, the eventlog implementation in authentication/authoriztion must be updated to map the ipadress from the request to the ipaddress in event model
The security log component will be the component responsible for adding logs to database for authorization events. Add an endpoint to enable this logging.
Components that send log requests must be authenticated.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@babel/core
, @babel/eslint-parser
, yarn
)Microsoft.AspNetCore.Mvc.Testing
, Microsoft.AspNetCore.OpenApi
, Microsoft.IdentityModel.Logging
, Microsoft.IdentityModel.Tokens
, coverlet.collector
)src/test/K6/docker-compose.yml
loadimpact/k6 0.48.0
Dockerfile
mcr.microsoft.com/dotnet/sdk 8.0-alpine
mcr.microsoft.com/dotnet/aspnet 8.0-alpine
src/Altinn.Auth.AuditLog/Dockerfile
mcr.microsoft.com/dotnet/aspnet 8.0
mcr.microsoft.com/dotnet/sdk 8.0
.github/actions/deploy/action.yml
denoland/setup-deno v1
Azure/functions-action v1
.github/actions/release/action.yml
denoland/setup-deno v1
release-drafter/release-drafter v6
.github/workflows/build-analyze.yml
actions/checkout v4
actions/setup-dotnet v4
actions/setup-dotnet v4
actions/setup-java v4
actions/checkout v4
actions/cache v4
actions/cache v4
.github/workflows/build-deploy-at.yml
actions/checkout v4
actions/setup-dotnet v4
actions/upload-artifact v4
docker/setup-buildx-action v3
docker/login-action v3
docker/build-push-action v5
actions/checkout v4
actions/download-artifact v4
azure/login v2
.github/workflows/create-release-draft.yml
actions/checkout v4
.github/workflows/deploy-after-release.yml
actions/checkout v4
actions/setup-dotnet v4
actions/upload-artifact v4
shrink/actions-docker-registry-tag v4
actions/checkout v4
actions/download-artifact v4
azure/login v2
actions/checkout v4
actions/download-artifact v4
azure/login v2
.github/workflows/manual-build-deploy-to-environment.yml
actions/checkout v4
actions/setup-dotnet v4
actions/upload-artifact v4
docker/setup-buildx-action v3
docker/login-action v3
docker/build-push-action v5
actions/checkout v4
actions/download-artifact v4
azure/login v2
.github/workflows/pr-labeler.yml
TimonVS/pr-labeler-action v5
src/test/K6/package.json
@babel/core 7.24.0
@babel/eslint-parser 7.23.10
eslint 8.57.0
prettier 3.2.5
yarn 3.8.0
Altinn.Auth.AuditLog.Functions.Tests/Altinn.Auth.AuditLog.Functions.Tests.csproj
coverlet.collector 6.0.1
xunit.runner.visualstudio 2.5.7
xunit 2.7.0
Moq 4.20.70
Microsoft.NET.Test.Sdk 17.9.0
src/Altinn.Auth.AuditLog.Core/Altinn.Auth.AuditLog.Core.csproj
Microsoft.Extensions.Logging 8.0.0
src/Altinn.Auth.AuditLog.Persistence/Altinn.Auth.AuditLog.Persistence.csproj
Npgsql 8.0.2
src/Altinn.Auth.AuditLog/Altinn.Auth.AuditLog.csproj
Microsoft.SourceLink.GitHub 8.0.0
Yuniql.PostgreSql 1.3.15
Yuniql.AspNetCore 1.2.25
Swashbuckle.AspNetCore 6.5.0
Npgsql.DependencyInjection 7.0.6
Microsoft.VisualStudio.Azure.Containers.Tools.Targets 1.19.6
Microsoft.IdentityModel.Tokens 7.4.0
Microsoft.IdentityModel.Logging 7.4.0
Microsoft.AspNetCore.OpenApi 7.0.16
Microsoft.ApplicationInsights.AspNetCore 2.22.0
Microsoft.ApplicationInsights 2.22.0
Azure.Security.KeyVault.Secrets 4.6.0
Azure.Identity 1.10.4
Azure.Extensions.AspNetCore.Configuration.Secrets 1.3.1
Altinn.Authorization.ABAC 0.0.8
src/Functions/Altinn.Auth.AuditLog.Functions/Altinn.Auth.AuditLog.Functions.csproj
Microsoft.Extensions.Azure 1.7.2
Microsoft.Azure.Functions.Worker.Sdk 1.17.2
Microsoft.Azure.Functions.Worker.Extensions.Storage 6.3.0
Microsoft.Azure.Functions.Worker.Extensions.Http 3.1.0
Microsoft.Azure.Functions.Worker 1.21.0
Azure.Storage.Queues 12.17.1
Azure.Storage.Files.Shares 12.17.1
Azure.Storage.Blobs 12.19.1
Altinn.Authorization.ABAC 0.0.8
src/test/Altinn.Auth.AuditLog.Tests/Altinn.Auth.AuditLog.Tests.csproj
coverlet.collector 6.0.1
xunit.runner.visualstudio 2.5.7
xunit 2.7.0
Moq 4.20.70
Microsoft.NET.Test.Sdk 17.9.0
Microsoft.AspNetCore.Mvc.Testing 8.0.2
A release routine must be setup to deploy updates to TT02/Prod environment. As of now, the release routine for Team Authorisasjon is TT02 on tuesdays and prod on wednesdays.
Container Application
A github release will be created every wednesday at 00:00. The release will have a naming format [year].[month].[day]. A github package registry will be tagged on every wednesday for container app. The package will have a release version in the format [year].[month].[day] f.ex 2024.3.18. The package will be deployed to TT02 on wednesday and production deploy will wait until next tuesday.
The code will be tested for stability in TT02 for a week. The same package is then deployed to production.
Function application
A github release will be created every tuesday at 00:00. The release will have a naming format [year].[month].[day]. f.ex 2024.3.18. The function app will be deployed to TT02 on wednesday and production deploy will wait until next tuesday.
When app sends authorization request, it is actually sent by the PEP package to the platform authorization api. The PEP package does not include the x-forwarded-for header in the api request sent to the platform authorization api. Therefore the iaddress received in the authorization component is the ipaddress of the app cluster. But we need the ipaddress of the app client.
To acheive this,
Expected : Ipaddress of the app client is logged in the ipaddress column
No response
We need queue to receive all event log requests and function to process the requests in the queue. When authentication/authorization sends log request, it will be sent to the log queue. Azure function will then process each item in the queue and send log request to the authentication/authorization end point
@lovoll used some time to go over the logs and give some valuable feedback on eventlog. the following feedback is received
We should test partitioning on the table so we do not need to do what we do in Altinn 2, where we rename the table every year.
Event log data can increase over period and therefore partitioning can offer the following benefits
We expect the following numbers for the data
Altinn 3 applications will increase over time and the number of authentication/authorization requests will definitely increase over time which will produce enormous events. We expect the following
--TODO
As of now, we plan to save the data for a period of 2 years
The data is only made available internally. We will be frequently querying the event log data for a period of time in connection to requests from service owners.
The date time range can vary from
Examples of data retreival are
TODO
Event log data is usually accessed with the interest over a period. Range partitioning can help us partition the event log table based on datetime range
Keys that will be used mainly for query retreivals are
Datetime can be the right partitionkey in case of eventlog. Don't see a need for composite partition keys at this point of time.
Partitions are partitioned tables themselves. Since our data is expected to grow over time, It can be a good idea to sub partition the tables. F.ex, The main partition can be based on event year and the sub partitions can be based on event months of event year.
Postgres does not offer automatic creation of partitions. However it offers extension like TimeScaleDB for time-series data.
With the TimescaleDB extension, we can continue to use PostgreSQL while using TimescaleDB to scale for time-series workloads. Enabling the TimescaleDB extension on new or existing Azure Database for PostgreSQL server will eliminate the need to run two databases to collect their relational and time-series data.
TODO
Both Sharding and partitioning are techniques used to manage and distribute large datasets but they serve different purposes. While partitioning helps to organize data with a single database instance, Sharding involves distributing data across multiple database instances or servers.
Sharding is also known as horizontal partitioning. Each shard operates a separate db instance.
According to our data retrieval behavior for event log,
TODO
We will start with partitioning using timescaledb extension in azure postgres. Azure postgres sql supports apache license and automatic data retention is not supported in apache license. we must use "timescale" license for automatic data retention. However it is possible to manually delete the chunk based on a time, f.eks every 2nd year.
See tasks
No response
No response
The auditlog component will be deployed as container app in azure. The code will be packaged as a package in github container registry.
Currently we have some K6 tests in auditlog api app that can be run after deploy in any environment. The auditlog api will have access limited only to function app that processes the authentication and authorization events. So instead of running several independent test suites against auditlog api and function app, it is a good idea to create end-to-end tests f.ex
Now to verify that the end-to-end test, we have to assert the queue message against data in the database. This can be acheived by either running some db script (needs some access setting) to fetch the data from database or via a get endpoint that can retreive the log based on userid,partyid,organisationid or date. The latter if established can also be used by the service desk team to verify some data in connection to any service desk cases.
Setup and implement Bruno tests for api endpoints
I sammenheng med utvikling av nye logger for autentisering og autorisasjon trenger vi en juridisk vurdering.
Skal vi inkludere DelegationEvent log og Azure log?
Lage begrepsliste
Vurdering av behandlingsansvar?
Krav om delvis sletting av informasjonselementer, f.eks. IP-adresse?
Mulige informasjonselementer autentisering
A release routine must be setup to deploy updates to TT02/Prod environment. As of now, the release routine for Team Authorisasjon is TT02 on tuesdays and prod on wednesdays.
A github package registry will be created for TT02 on every tuesday. The package will have a release version in the format v[year].[revision] f.ex v2023.1 which means 1st release in year 2023.
The code will be tested for stability in TT02 for a week. The same package is then deployed to production.
Setup and implement K6 tests for api endpoints
QA of the logging in at environment was taken as input for the discussion with the team about logging and the team came up with many good feedback points such as
The auditlog component will be continously integrated and deployed to all Acceptance test environments. Each time a PR is merged into the main branch, a packaging actions must be triggered. This action must package the code in to a docker image and publish into github package registry. The package(image) is tagged with the commit hash. The same image is then deployed to all the AT environments parallely
Npgsql throws too many clients exception
Rewrite the postgressql connection methods to handle the connection effectively
The security log component will be the component responsible for adding logs to database for authorization and authentication events.
How to protect access to the event queue?
The assumption is that we share SAS key for storage queue with the authentication and authorization component and don't need any additional measures to protect the queue.
Hashing and signing
Hashing of a selected set of properties together with signing the hash reduces the chance that logs have been tampered with.
https://learn.microsoft.com/en-us/dotnet/standard/security/cryptographic-signatures
Use SHA384 to Hash values.
The list of values that need to be included in Hash is
TODO
Use RSA to sign HASH.
Do we need to support rotation of certificates?
We will use postgres database for authentication and authorization event logging.
Open Questions
Database structure for authentication events
Database structure for authorization events
For authorization Events, the following events is identified :
PDP AuthorizationRequest
This is when some component requests the PDP to decide if a user/system is authorized
The suggested approach is to store separate
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:userid",
"Value": "1"
},
{
"AttributeId": "urn:altinn:role",
"Value": "dagl"
},
{
"AttributeId": "urn:altinn:role",
"Value": "utinn"
}
]
}
],
"Action": [
{
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"Resource": [
{
"Attribute": [
{
"AttributeId": "urn:altinn:instance-id",
"Value": "1000/26133fb5-a9f2-45d4-90b1-f6d93ad40713",
"IncludeInResult": true
},
{
"AttributeId": "urn:altinn:org",
"Value": "skd"
},
{
"AttributeId": "urn:altinn:app",
"Value": "taxreport"
},
{
"AttributeId": "urn:altinn:partyid",
"Value": "1000"
},
{
"AttributeId": "urn:altinn:task",
"Value": "formfilling"
}
]
}
]
}
}
We should test partitioning on the table so we do not need to do what we do in Altinn 2, where we rename the table every year.
Should we log a request/response if we have cached it? (we currently do not cache decisions)
50.000.000 instances
50 authorizations per instance
1kb per log
2.500.000.000 log lines
2.500.000 MBytes
2.5 Terra Bytes log
It was agreed during the logging discussion that we implement session id to get overview of the user's activities for a given period of time. In addition the external session id, the token issuer and subscription key that was used to send api request is also logged in to the authentication event database
Etablere loggtjeneste som logger hvem som har fått tilgang til, eller har utført handling en handling mot, hva og når. Denne loggen må være «write-only» med høy grad av nøyaktighet og integritet, slik at den kan brukes under etterforskning og bevis ved misbruk av løsninger eller liknende
Altinn 3 trenger logger slik at man i forbindelse med autentisering og autorisasjon kan ettergå når og av hvem en handling er utført og hvilke rettigheter vedkommende hadde på gjeldende tidspunkt. Loggingen må utføres slik at det ikke påvirker ytelsen i resten av løsningen negativt. Disse loggene må bade tilfredstille tekniske og juridiske krav
Potensiell kompleksitet tilknyttet forskjellig lagringstid på info elementene.
Hvis nødvendig må det etableres slettemekanismer etter definerte tidsperioder.
Audit log component will be hosted as a container app. Authentication/Authorization component will write each authentication/authorization event to a storage queue. A function app is set with queue trigger such that each event is processed by the function app. The function app then sends api request to specific endpoint(Authentication/authorization) in auth-audit-log component. The auth-audit-log component write the event to the auth-audit-log database.
When creating a new component responsible for security logging, we must decide whether to deploy it to Platform Cluster or as A Separate Azure Container App.
See #5 for more details
Decide if SecurityLog component should be deployed as a pod in the Platform cluster or as an Azure Container App.
No response
No response
No response
No response
Following feedback is registered after the QA of the event log in authorization
Function app changes must be continuously built and deployed to azure. The process must be implemented as a GitHub action.
Docker file for the app is missing mkdir cmd to create the configured storage folder for telemetry, causing a lot of warnings to be logged as the setup is incomplete.
See appinsights
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.