Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post CMS Connect-a-thon 5 #28

Merged
merged 110 commits into from
Jul 19, 2024
Merged

Post CMS Connect-a-thon 5 #28

merged 110 commits into from
Jul 19, 2024

Conversation

JoeShook
Copy link
Collaborator

The major change is Client Secret rollover when an Authorize request is signed with a valid certificate but the original secrets recorded in the ClientSecret table is marked as expired. UDAP certificate updates are seemless architecturally. So during the /authorize flow checks have been added to determine if the Secrets need to be updated. The updated expiration dates will be pulled from the certificate after the client_assertion signature has been validated.

This PR also contains new mTLS CA build scripts and a mTLS.Proxy.Server so developers can experiment and compare the mechanics of mTLS vs UDAP. It allows us to demonstrate that UDAP is also a proof-of-posession protocol on the server and at the client. UDAP is easier to troubleshoot because it communicates as a REST protocol. When a client certiificate fails in UDAP we will get a HTTP 401 status code. When mTLS fails we will have to resort to tools like Wireshark to start understanding the failure. It is just a little more mysterious to troubleshoot. Also mTLS tends to terminate at the loadbalancer where UDAP tends to terminate at the server or a proxy it is representing. This increases the confidence that a client it talking to the actual tenant instance. The possiblity for a loadbalancer misconfiguration in a multitenant environment can reduce the validity of proof-of-possesion at the server side.

JoeShook and others added 30 commits May 18, 2024 13:17
@JoeShook
Add a certificate for Brett from Optum
23742f6
@JoeShook
Merge branch 'develop' of https://github.com/JoeShook/udap-dotnet int…
3dabd5e 
…o develop
@JoeShook
Remove code that should not be in this repo. It is used by UdapEd, so…
02f8959 
… I moved it there.
@JoeShook
Update BuildTestCerts.cs
13ef015
@dependabot
---
b554c3e 
updated-dependencies:
- dependency-name: Swashbuckle.AspNetCore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
Make the allow remember consent to default to false.
da91434
@JoeShook
Merge pull request #518 from JoeShook/dependabot/nuget/develop/Swashb…
f995271 
…uckle.AspNetCore-6.6.2

Bump Swashbuckle.AspNetCore from 6.6.1 to 6.6.2
@dependabot
Bump Microsoft.NET.Test.Sdk from 17.9.0 to 17.10.0
1f4b7ab 
Bumps [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 17.9.0 to 17.10.0.
- [Release notes](https://github.com/microsoft/vstest/releases)
- [Changelog](https://github.com/microsoft/vstest/blob/main/docs/releases.md)
- [Commits](microsoft/vstest@v17.9.0...v17.10.0)

---
updated-dependencies:
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Udap.Client, Udap.Common and Udap.Util
d3a1df9 
Bumps [Udap.Client](https://github.com/JoeShook/udap-dotnet), Udap.Common and Udap.Util. These dependencies needed to be updated together.

Updates `Udap.Client` from 0.3.47 to 0.3.48
- [Commits](v0.3.47...v0.3.48)

Updates `Udap.Common` from 0.3.47 to 0.3.48

Updates `Udap.Util` from 0.3.47 to 0.3.48

---
updated-dependencies:
- dependency-name: Udap.Client
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: Udap.Common
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: Udap.Util
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump FluentAssertions.Analyzers from 0.31.0 to 0.32.0
d38f5fc 
Bumps [FluentAssertions.Analyzers](https://github.com/fluentassertions/fluentassertions.analyzers) from 0.31.0 to 0.32.0.
- [Release notes](https://github.com/fluentassertions/fluentassertions.analyzers/releases)
- [Commits](fluentassertions/fluentassertions.analyzers@v0.31.0...v0.32.0)

---
updated-dependencies:
- dependency-name: FluentAssertions.Analyzers
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump xunit from 2.8.0 to 2.8.1
465c398 
Bumps [xunit](https://github.com/xunit/xunit) from 2.8.0 to 2.8.1.
- [Commits](xunit/xunit@2.8.0...2.8.1)

---
updated-dependencies:
- dependency-name: xunit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.IdentityModel.Tokens from 7.5.2 to 7.6.0
f75d719 
Bumps [Microsoft.IdentityModel.Tokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) from 7.5.2 to 7.6.0.
- [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases)
- [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md)
- [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@7.5.2...7.6.0)

---
updated-dependencies:
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.EntityFrameworkCore.InMemory and Microsoft.EntityFrame…
067938d 
…workCore

Bumps [Microsoft.EntityFrameworkCore.InMemory](https://github.com/dotnet/efcore) and [Microsoft.EntityFrameworkCore](https://github.com/dotnet/efcore). These dependencies needed to be updated together.

Updates `Microsoft.EntityFrameworkCore.InMemory` from 8.0.5 to 8.0.6
- [Release notes](https://github.com/dotnet/efcore/releases)
- [Commits](dotnet/efcore@v8.0.5...v8.0.6)

Updates `Microsoft.EntityFrameworkCore` from 8.0.5 to 8.0.6
- [Release notes](https://github.com/dotnet/efcore/releases)
- [Commits](dotnet/efcore@v8.0.5...v8.0.6)

---
updated-dependencies:
- dependency-name: Microsoft.EntityFrameworkCore.InMemory
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: Microsoft.EntityFrameworkCore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.AspNetCore.Mvc.Testing from 8.0.5 to 8.0.6
5f6c784 
Bumps [Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/aspnetcore) from 8.0.5 to 8.0.6.
- [Release notes](https://github.com/dotnet/aspnetcore/releases)
- [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md)
- [Commits](dotnet/aspnetcore@v8.0.5...v8.0.6)

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Mvc.Testing
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
Merge pull request #519 from JoeShook/dependabot/nuget/develop/Micros…
c5dff70 
…oft.NET.Test.Sdk-17.10.0

Bump Microsoft.NET.Test.Sdk from 17.9.0 to 17.10.0
@JoeShook
Merge pull request #520 from JoeShook/dependabot/nuget/develop/multi-…
e337cca 
…8286cd2757

Bump Udap.Client, Udap.Common and Udap.Util
@JoeShook
Merge pull request #521 from JoeShook/dependabot/nuget/develop/Fluent…
5a67c78 
…Assertions.Analyzers-0.32.0

Bump FluentAssertions.Analyzers from 0.31.0 to 0.32.0
@JoeShook
Merge pull request #522 from JoeShook/dependabot/nuget/develop/xunit-…
926b200 
…2.8.1

Bump xunit from 2.8.0 to 2.8.1
@JoeShook
Merge pull request #524 from JoeShook/dependabot/nuget/develop/Micros…
61e434a 
…oft.IdentityModel.Tokens-7.6.0

Bump Microsoft.IdentityModel.Tokens from 7.5.2 to 7.6.0
@JoeShook
Merge pull request #525 from JoeShook/dependabot/nuget/develop/multi-…
07c9f04 
…c8bcf64f23

Bump Microsoft.EntityFrameworkCore.InMemory and Microsoft.EntityFrameworkCore
@JoeShook
Merge pull request #527 from JoeShook/dependabot/nuget/develop/Micros…
8a0926e 
…oft.AspNetCore.Mvc.Testing-8.0.6

Bump Microsoft.AspNetCore.Mvc.Testing from 8.0.5 to 8.0.6
@dependabot
Bump xunit.runner.visualstudio from 2.8.0 to 2.8.1
3418e24 
Bumps [xunit.runner.visualstudio](https://github.com/xunit/visualstudio.xunit) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/xunit/visualstudio.xunit/releases)
- [Commits](xunit/visualstudio.xunit@2.8.0...2.8.1)

---
updated-dependencies:
- dependency-name: xunit.runner.visualstudio
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
Merge pull request #523 from JoeShook/dependabot/nuget/develop/xunit.…
eebe49a 
…runner.visualstudio-2.8.1

Bump xunit.runner.visualstudio from 2.8.0 to 2.8.1
@dependabot
Bump Microsoft.EntityFrameworkCore from 8.0.5 to 8.0.6
d160daa 
Bumps [Microsoft.EntityFrameworkCore](https://github.com/dotnet/efcore) from 8.0.5 to 8.0.6.
- [Release notes](https://github.com/dotnet/efcore/releases)
- [Commits](dotnet/efcore@v8.0.5...v8.0.6)

---
updated-dependencies:
- dependency-name: Microsoft.EntityFrameworkCore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.IdentityModel.JsonWebTokens from 7.5.2 to 7.6.0
73541be 
Bumps [Microsoft.IdentityModel.JsonWebTokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) from 7.5.2 to 7.6.0.
- [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases)
- [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md)
- [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@7.5.2...7.6.0)

---
updated-dependencies:
- dependency-name: Microsoft.IdentityModel.JsonWebTokens
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.AspNetCore.DataProtection.Abstractions
5d7071b 
Bumps [Microsoft.AspNetCore.DataProtection.Abstractions](https://github.com/dotnet/aspnetcore) from 8.0.5 to 8.0.6.
- [Release notes](https://github.com/dotnet/aspnetcore/releases)
- [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md)
- [Commits](dotnet/aspnetcore@v8.0.5...v8.0.6)

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.DataProtection.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.Data.SqlClient from 5.2.0 to 5.2.1
3c5bafb 
Bumps [Microsoft.Data.SqlClient](https://github.com/dotnet/sqlclient) from 5.2.0 to 5.2.1.
- [Release notes](https://github.com/dotnet/sqlclient/releases)
- [Changelog](https://github.com/dotnet/SqlClient/blob/main/CHANGELOG.md)
- [Commits](dotnet/SqlClient@V5.2.0...v5.2.1)

---
updated-dependencies:
- dependency-name: Microsoft.Data.SqlClient
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump dotnet-ef from 8.0.5 to 8.0.6
155a648 
Bumps [dotnet-ef](https://github.com/dotnet/efcore) from 8.0.5 to 8.0.6.
- [Release notes](https://github.com/dotnet/efcore/releases)
- [Commits](dotnet/efcore@v8.0.5...v8.0.6)

---
updated-dependencies:
- dependency-name: dotnet-ef
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump MudBlazor from 6.19.1 to 6.20.0
ff0ca8c 
Bumps [MudBlazor](https://github.com/MudBlazor/MudBlazor) from 6.19.1 to 6.20.0.
- [Release notes](https://github.com/MudBlazor/MudBlazor/releases)
- [Changelog](https://github.com/MudBlazor/MudBlazor/blob/dev/CHANGELOG.md)
- [Commits](MudBlazor/MudBlazor@v6.19.1...v6.20.0)

---
updated-dependencies:
- dependency-name: MudBlazor
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.AspNetCore.Authentication.JwtBearer from 8.0.3 to 8.0.6
6d84cc7 
Bumps [Microsoft.AspNetCore.Authentication.JwtBearer](https://github.com/dotnet/aspnetcore) from 8.0.3 to 8.0.6.
- [Release notes](https://github.com/dotnet/aspnetcore/releases)
- [Changelog](https://github.com/dotnet/aspnetcore/blob/main/docs/ReleasePlanning.md)
- [Commits](dotnet/aspnetcore@v8.0.3...v8.0.6)

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Authentication.JwtBearer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
dependabot bot and others added 29 commits July 9, 2024 12:31
@dependabot
Bump xunit.runner.visualstudio from 2.8.1 to 2.8.2
b80e63a 
Bumps xunit.runner.visualstudio from 2.8.1 to 2.8.2.

---
updated-dependencies:
- dependency-name: xunit.runner.visualstudio
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
First cut of a mTLS proxy server to GCP FHIR Server.
eb01118
@JoeShook
More mTLS cert generation and misc house keeping
ca28bdf 
Deployed first mtls.fhirlabs.net proxy to GCP.
@JoeShook
Merge pull request #568 from JoeShook/dependabot/nuget/develop/xunit.…
076cae0 
…runner.visualstudio-2.8.2

Bump xunit.runner.visualstudio from 2.8.1 to 2.8.2
@JoeShook
Package updates
43c8178
@JoeShook
Update packages
210a869
@JoeShook
Fixup possible race conditions
27c4176
@JoeShook
Fixup possible race conditions continued
e11b655
@dependabot
Bump dotnet-ef from 8.0.6 to 8.0.7
842ad69 
Bumps dotnet-ef from 8.0.6 to 8.0.7.

---
updated-dependencies:
- dependency-name: dotnet-ef
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump Microsoft.IdentityModel.Protocols.OpenIdConnect and Microsoft.Id…
ebd2561 
…entityModel.Tokens

Bumps Microsoft.IdentityModel.Protocols.OpenIdConnect and Microsoft.IdentityModel.Tokens. These dependencies needed to be updated together.

Updates `Microsoft.IdentityModel.Protocols.OpenIdConnect` from 7.6.2 to 7.6.3

Updates `Microsoft.IdentityModel.Tokens` from 7.6.2 to 7.6.3

---
updated-dependencies:
- dependency-name: Microsoft.IdentityModel.Protocols.OpenIdConnect
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: Microsoft.IdentityModel.Tokens
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
Update TrustChainValidator.cs
ea3eb56
@dependabot
Bump Microsoft.AspNetCore.Authentication.OpenIdConnect
06d5c2b 
Bumps Microsoft.AspNetCore.Authentication.OpenIdConnect from 8.0.6 to 8.0.7.

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.Authentication.OpenIdConnect
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
DiscoveryUrl Parsing fixup
0c2889d 
Allow the consumer to pass a fully build UDAP well-known url with community parameter and handle it.
@JoeShook
Merge pull request #578 from JoeShook/dependabot/nuget/develop/Micros…
60a6738 
…oft.AspNetCore.Authentication.OpenIdConnect-8.0.7

Bump Microsoft.AspNetCore.Authentication.OpenIdConnect from 8.0.6 to 8.0.7
@JoeShook
Merge pull request #577 from JoeShook/dependabot/nuget/develop/multi-…
be379c1 
…799d6280f1

Bump Microsoft.IdentityModel.Protocols.OpenIdConnect and Microsoft.IdentityModel.Tokens
@JoeShook
Merge pull request #573 from JoeShook/dependabot/nuget/develop/dotnet…
343d27e 
…-ef-8.0.7

Bump dotnet-ef from 8.0.6 to 8.0.7
@dependabot
Bump Microsoft.AspNetCore.DataProtection.Abstractions
a6b43f8 
Bumps Microsoft.AspNetCore.DataProtection.Abstractions from 8.0.6 to 8.0.7.

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.DataProtection.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@JoeShook
Merge pull request #569 from JoeShook/dependabot/nuget/develop/Micros…
664d92c 
…oft.AspNetCore.DataProtection.Abstractions-8.0.7

Bump Microsoft.AspNetCore.DataProtection.Abstractions from 8.0.6 to 8.0.7
@JoeShook
Allow the consumer to pass a fully build UDAP well-known url with com…
701b7ed 
…munity parameter and handle it.

Continued with more paths that need this feature.
This is a result of me testing what it would be like to host a community based metadata URL in a Directory like National Directory.
@JoeShook
Merge branch 'develop' of https://github.com/JoeShook/udap-dotnet int…
e9588f1 
…o develop
@JoeShook
New tests and fixups to handle Authorization Certificate Rolloer
c1ff521 
A client registers and two entries are set in the Secrets table.  Those entries contain an expires column that is the same as the UDAP client certificate expiration.  Some time in the future the client Authorizes with a signed client_assertion.  On the IdentityServer side the secrets are resolved from the secret table.  But because they are expired the secrets are not available to the UdapJwtSecretValidator.   The validator needs to handle this situation by informing the Client Store to updated the secrets in supplied by the signed client_assertion.  Of course this should not happen until the signed client_assertion has been validated with the JsonWebTokenHandler.  Once this is done the expiration dates for the existing secrets can be updated and then the lookups for anchors related to the community can be resolved and finally the x509 Chaining process can be validated.
@JoeShook
Rollover continued.
8e9d669
@JoeShook
Clean up un-needed package server refs.
802f5ad 
I think I don't need it?
@JoeShook
Update nuget.config
4b2d543
@JoeShook
Return the Azure nuget package source.
cb66e29 
Need it for access to the pre-release System.CommandLine packages
@JoeShook
Return the Azure nuget package source.
5d1fa3a 
Need it for access to the pre-release System.CommandLine packages
@JoeShook
package updates
c5e7ef2
@JoeShook
Update Directory.Packages.props
20e7c53
@JoeShook
Merge pull request #583 from JoeShook/develop
e6f3ba3 
Post CMS Connect-a-thon 5
@JoeShook JoeShook merged commit 6116c6d into udap-tools:main Jul 19, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@JoeShook