Merge branch 'stages/rc-2025-03-11' into 'stages/prod'

solipet · solipet · commit 9de9bf77deb6 · 2025-03-13T17:31:46.000Z
Deploy RC 88 to Prod

See merge request lg/identity-pki!77
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -141,6 +141,49 @@ check_expiring_certificates:
     - bundle exec rake db:setup --trace
     - bundle exec rake certs:print_expiring[0]
 
+
+include:
+  - template: Security/Secret-Detection.gitlab-ci.yml
+
+secret_detection:
+  stage: test
+  allow_failure: false
+  needs: []
+  artifacts:
+    paths:
+      - gl-secret-detection-report.json
+    reports:
+      secret_detection: gl-secret-detection-report.json
+  variables:
+    SECRET_DETECTION_EXCLUDED_PATHS: 'keys.example,config/artifacts.example,public/acuant/*/opencv.min.js,tmp/0.0.0.0-3000.key'
+    SECRET_DETECTION_REPORT_FILE: 'gl-secret-detection-report.json'
+  rules:
+    - if: $SECRET_DETECTION_DISABLED
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      variables:
+        SECRET_DETECTION_LOG_OPTIONS: ${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}
+  before_script:
+    - apk add --no-cache jq
+  script:
+    - |
+        echo "running analyzer"
+        /analyzer run
+        if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
+          # check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
+          if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
+            echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
+            echo "Check the \"Security\" tab on the overall pipeline run to download the report for more information."
+            exit 1
+          fi
+        else
+          echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
+        fi
+
+
+
 build-ci-image:
   stage: build
   interruptible: true
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -229,7 +229,7 @@ GEM
     puma (6.4.3)
       nio4r (~> 2.0)
     racc (1.8.1)
-    rack (3.1.10)
+    rack (3.1.12)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
diff --git a/app/controllers/identify_controller.rb b/app/controllers/identify_controller.rb
@@ -1,5 +1,4 @@
 require 'cgi'
-require 'openssl'
 require 'open3'
 
 class IdentifyController < ApplicationController
@@ -104,8 +103,6 @@ def allowed_referrer?(uri)
   def log_certificate(cert)
     validation_result = cert.validate_cert(is_leaf: true)
     valid = validation_result == 'valid'
-    login_certs_openssl_result = openssl_validate(cert.to_pem, Rails.root.join(IdentityConfig.store.login_certificate_bundle_file).to_s)
-    ficam_certs_openssl_result = openssl_validate(cert.to_pem, Rails.root.join(IdentityConfig.store.ficam_certificate_bundle_file).to_s)
     attributes = {
       name: 'Certificate Processed',
       signing_key_id: cert.signing_key_id,
@@ -116,35 +113,13 @@ def log_certificate(cert)
       mapped_policy_oids: cert.mapped_policies.map { |oid| [oid, true] }.to_h,
       valid: valid,
       error: !valid ? validation_result : nil,
-      openssl_valid: login_certs_openssl_result[:valid],
-      openssl_errors: login_certs_openssl_result[:errors],
-      ficam_openssl_valid: ficam_certs_openssl_result[:valid],
-      ficam_openssl_errors: ficam_certs_openssl_result[:errors],
     }
 
     attributes.delete(:issuer) if validation_result == 'self-signed cert'
     if valid
       attributes[:matched_policy_oids] = cert.matched_policy_oids.map { |oid| [oid, true] }.to_h
     end
 
-    # Log certificate if it fails either OpenSSL validation, but passes our current validation or vice versa
-    if valid != login_certs_openssl_result[:valid] || valid != ficam_certs_openssl_result[:valid]
-      CertificateLoggerService.log_certificate(cert)
-    end
-
     logger.info(attributes.to_json)
   end
-
-  def openssl_validate(certificate_pem, certificate_bundle_file_path)
-    return {} if !IdentityConfig.store.openssl_verify_enabled
-    stdout, stderr, status = Open3.capture3('openssl', 'verify', '-purpose', 'sslclient', '-inhibit_any', '-explicit_policy', '-CAfile', certificate_bundle_file_path, '-policy_check', '-policy', '2.16.840.1.101.3.2.1.3.7', '-policy', '2.16.840.1.101.3.2.1.3.13', '-policy', '2.16.840.1.101.3.2.1.3.15', '-policy', '2.16.840.1.101.3.2.1.3.16', '-policy', '2.16.840.1.101.3.2.1.3.18', '-policy', '2.16.840.1.101.3.2.1.3.41', stdin_data: certificate_pem)
-
-    stderr.strip!
-    stdout.strip!
-    errors = stderr.scan(/(error \d+ [\w :]+)$\n?/).flatten
-    {
-      valid: status.success? && stdout.ends_with?('OK') && errors.empty?,
-      errors: errors.join(', '),
-    }
-  end
 end
diff --git a/spec/controllers/identify_controller_spec.rb b/spec/controllers/identify_controller_spec.rb
@@ -140,7 +140,6 @@
 
             cert = Certificate.new(client_cert)
 
-            expect(CertificateLoggerService).to receive(:log_certificate).once
             expect(Rails.logger).to receive(:info).with(/GET/).once
             expect(Rails.logger).to receive(:info).with(
               'Returning a token for a valid certificate.'
@@ -155,10 +154,6 @@
               mapped_policy_oids: { '2.16.840.1.101.3.2.1.3.7' => true },
               valid: true,
               error: nil,
-              openssl_valid: false,
-              openssl_errors: 'error 20 at 0 depth lookup: unable to get local issuer certificate',
-              ficam_openssl_valid: false,
-              ficam_openssl_errors: 'error 20 at 0 depth lookup: unable to get local issuer certificate',
               matched_policy_oids: { '2.16.840.1.101.3.2.1.3.7' => true },
             }.to_json).once
 
@@ -209,7 +204,6 @@
           it 'returns a token with a uuid and subject' do
             allow(IdentityConfig.store).to receive(:client_cert_escaped).and_return(false)
             @request.headers['X-Client-Cert'] = client_cert_pem.split(/\n/).join("\n\t")
-            expect(CertificateLoggerService).to receive(:log_certificate).once
 
             get :create, params: { nonce: '123', redirect_uri: 'http://example.com/' }
             expect(response).to have_http_status(:found)
@@ -372,10 +366,6 @@
               mapped_policy_oids: {},
               valid: false,
               error: 'self-signed cert',
-              openssl_valid: false,
-              openssl_errors: 'error 18 at 0 depth lookup: self signed certificate, error 26 at 0 depth lookup: unsupported certificate purpose',
-              ficam_openssl_valid: false,
-              ficam_openssl_errors: 'error 18 at 0 depth lookup: self signed certificate, error 26 at 0 depth lookup: unsupported certificate purpose',
             }.to_json).once
 
             get :create, params: { nonce: '123', redirect_uri: 'http://example.com/' }
