From cd74a9a5f6474f8a84eb0506bdb13c8f92526d89 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 10 Apr 2023 11:19:00 +0530 Subject: [PATCH 01/13] Add Ory IAM setup - Added sonarqube folder to gitignore - Added modified Ory email-password template - Added totp to show account name in kratos schema - Disabled magic links for recovery in kratos config - Enabled login only for verified emails in kratos config - Disabled login after registration in kratos config --- .gitignore | 3 +- browser-extension/plugin/.gitignore | 3 +- .../email-password/identity.schema.json | 39 ++++++++ ory/kratos/email-password/kratos.yml | 96 +++++++++++++++++++ ory/kratos/quickstart-postgres.yml | 21 ++++ ory/kratos/quickstart-standalone.yml | 10 ++ ory/kratos/quickstart.yml | 59 ++++++++++++ 7 files changed, 229 insertions(+), 2 deletions(-) create mode 100644 ory/kratos/email-password/identity.schema.json create mode 100644 ory/kratos/email-password/kratos.yml create mode 100644 ory/kratos/quickstart-postgres.yml create mode 100644 ory/kratos/quickstart-standalone.yml create mode 100644 ory/kratos/quickstart.yml diff --git a/.gitignore b/.gitignore index 6c506f4a..92bc2a52 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .vscode -dom-html.txt \ No newline at end of file +dom-html.txt +.scannerwork/ diff --git a/browser-extension/plugin/.gitignore b/browser-extension/plugin/.gitignore index 8e8f8a56..555978b8 100644 --- a/browser-extension/plugin/.gitignore +++ b/browser-extension/plugin/.gitignore @@ -2,4 +2,5 @@ dist/ node_modules/ *.zip -*.env \ No newline at end of file +*.env +.scannerwork/ diff --git a/ory/kratos/email-password/identity.schema.json b/ory/kratos/email-password/identity.schema.json new file mode 100644 index 00000000..e8dc61bc --- /dev/null +++ b/ory/kratos/email-password/identity.schema.json @@ -0,0 +1,39 @@ +{ + "$id": "./ory/kratos/email-password/identity.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 3, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + }, + "totp": { + "account_name": true + } + }, + "verification": { + "via": "email" + }, + "recovery": { + "via": "email" + } + } + } + }, + "required": [ + "email" + ], + "additionalProperties": false + } + } +} diff --git a/ory/kratos/email-password/kratos.yml b/ory/kratos/email-password/kratos.yml new file mode 100644 index 00000000..2e435552 --- /dev/null +++ b/ory/kratos/email-password/kratos.yml @@ -0,0 +1,96 @@ +version: v0.11.0 + +dsn: memory + +serve: + public: + base_url: http://127.0.0.1:4433/ + cors: + enabled: true + admin: + base_url: http://kratos:4434/ + +selfservice: + default_browser_return_url: http://127.0.0.1:4455/ + allowed_return_urls: + - http://127.0.0.1:4455 + + methods: + password: + enabled: true + totp: + config: + issuer: Kratos + enabled: true + lookup_secret: + enabled: true + link: + enabled: false + code: + enabled: true + + flows: + error: + ui_url: http://127.0.0.1:4455/error + + settings: + ui_url: http://127.0.0.1:4455/settings + privileged_session_max_age: 15m + required_aal: highest_available + + recovery: + enabled: true + ui_url: http://127.0.0.1:4455/recovery + use: code + + verification: + enabled: true + ui_url: http://127.0.0.1:4455/verification + use: code + after: + default_browser_return_url: http://127.0.0.1:4455/ + + logout: + after: + default_browser_return_url: http://127.0.0.1:4455/login + + login: + ui_url: http://127.0.0.1:4455/login + lifespan: 10m + after: + password: + hooks: + - hook: require_verified_address + + registration: + lifespan: 10m + ui_url: http://127.0.0.1:4455/registration + +log: + level: debug + format: text + leak_sensitive_values: true + +secrets: + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + cipher: + - 32-LONG-SECRET-NOT-SECURE-AT-ALL + +ciphers: + algorithm: xchacha20-poly1305 + +hashers: + algorithm: bcrypt + bcrypt: + cost: 8 + +identity: + default_schema_id: default + schemas: + - id: default + url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true diff --git a/ory/kratos/quickstart-postgres.yml b/ory/kratos/quickstart-postgres.yml new file mode 100644 index 00000000..abc865a1 --- /dev/null +++ b/ory/kratos/quickstart-postgres.yml @@ -0,0 +1,21 @@ +version: '3.7' + +services: + kratos-migrate: + environment: + - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 + + kratos: + environment: + - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 + + postgresd: + image: postgres:9.6 + ports: + - "5433:5433" + environment: + - POSTGRES_USER=kratos + - POSTGRES_PASSWORD=secret + - POSTGRES_DB=kratos + networks: + - intranet diff --git a/ory/kratos/quickstart-standalone.yml b/ory/kratos/quickstart-standalone.yml new file mode 100644 index 00000000..8c799284 --- /dev/null +++ b/ory/kratos/quickstart-standalone.yml @@ -0,0 +1,10 @@ +version: '3.7' + +services: + kratos-selfservice-ui-node: + ports: + - "4455:4455" + environment: + - PORT=4455 + - SECURITY_MODE= + - KRATOS_BROWSER_URL=http://127.0.0.1:4433/ diff --git a/ory/kratos/quickstart.yml b/ory/kratos/quickstart.yml new file mode 100644 index 00000000..5b7d875d --- /dev/null +++ b/ory/kratos/quickstart.yml @@ -0,0 +1,59 @@ +version: '3.7' +services: + kratos-migrate: + image: oryd/kratos:v0.11.0 + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc + volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./email-password + target: /etc/config/kratos + command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes + restart: on-failure + networks: + - intranet + kratos-selfservice-ui-node: + image: oryd/kratos-selfservice-ui-node:v0.11.0 + environment: + - KRATOS_PUBLIC_URL=http://kratos:4433/ + - KRATOS_BROWSER_URL=http://127.0.0.1:4433/ + networks: + - intranet + restart: on-failure + kratos: + depends_on: + - kratos-migrate + image: oryd/kratos:v0.11.0 + ports: + - '4433:4433' # public + - '4434:4434' # admin + restart: unless-stopped + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + - LOG_LEVEL=trace + command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier + volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./email-password + target: /etc/config/kratos + networks: + - intranet + mailslurper: + image: oryd/mailslurper:latest-smtps + ports: + - '4436:4436' + - '4437:4437' + networks: + - intranet +networks: + intranet: +volumes: + kratos-sqlite: From 9e46a9616d596f55e53b0f870e562bfc3a418296 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 10 Apr 2023 14:47:32 +0530 Subject: [PATCH 02/13] Modify kratos config - Added default password config keys - Added a 15 min lifespan to any use of codes eg verification, recovery - Added a 15 min lifespan to verification and recovery URLs - match the code lifespan - Modified verification flow to go to login page - Added key to enable/disable registration in config - Disabled leak sensitive values and replace with redacted text in logs - Modified hashing cost - Added default session key values - Enforce MFA if set up --- ory/kratos/email-password/kratos.yml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/ory/kratos/email-password/kratos.yml b/ory/kratos/email-password/kratos.yml index 2e435552..c6fbb3e9 100644 --- a/ory/kratos/email-password/kratos.yml +++ b/ory/kratos/email-password/kratos.yml @@ -18,6 +18,11 @@ selfservice: methods: password: enabled: true + config: + haveibeenpwned_enabled: true + ignore_network_errors: true + min_password_length: 8 + identifier_similarity_check_enabled: true totp: config: issuer: Kratos @@ -28,6 +33,8 @@ selfservice: enabled: false code: enabled: true + config: + lifespan: 15m flows: error: @@ -42,13 +49,17 @@ selfservice: enabled: true ui_url: http://127.0.0.1:4455/recovery use: code + lifespan: 15m + #notify_unknown_recipients: false verification: enabled: true ui_url: http://127.0.0.1:4455/verification use: code + lifespan: 15m + #notify_unknown_recipients: false after: - default_browser_return_url: http://127.0.0.1:4455/ + default_browser_return_url: http://127.0.0.1:4455/login logout: after: @@ -65,11 +76,13 @@ selfservice: registration: lifespan: 10m ui_url: http://127.0.0.1:4455/registration + enabled: true log: level: debug format: text - leak_sensitive_values: true + leak_sensitive_values: false + redaction_text: "" secrets: cookie: @@ -83,7 +96,13 @@ ciphers: hashers: algorithm: bcrypt bcrypt: - cost: 8 + cost: 12 + +session: + lifespan: 24h + earliest_possible_extend: 24h + whoami: + required_aal: highest_available identity: default_schema_id: default From 809659e3a95128ec035e7574abf877297980b2a5 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 10 Apr 2023 15:32:33 +0530 Subject: [PATCH 03/13] Merged and renamed docker compose files --- .../{quickstart.yml => docker-compose.yml} | 22 +++++++++++++++++-- ory/kratos/quickstart-postgres.yml | 21 ------------------ ory/kratos/quickstart-standalone.yml | 10 --------- 3 files changed, 20 insertions(+), 33 deletions(-) rename ory/kratos/{quickstart.yml => docker-compose.yml} (73%) delete mode 100644 ory/kratos/quickstart-postgres.yml delete mode 100644 ory/kratos/quickstart-standalone.yml diff --git a/ory/kratos/quickstart.yml b/ory/kratos/docker-compose.yml similarity index 73% rename from ory/kratos/quickstart.yml rename to ory/kratos/docker-compose.yml index 5b7d875d..0677ed2f 100644 --- a/ory/kratos/quickstart.yml +++ b/ory/kratos/docker-compose.yml @@ -3,7 +3,7 @@ services: kratos-migrate: image: oryd/kratos:v0.11.0 environment: - - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc + - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 volumes: - type: volume source: kratos-sqlite @@ -16,14 +16,20 @@ services: restart: on-failure networks: - intranet + kratos-selfservice-ui-node: image: oryd/kratos-selfservice-ui-node:v0.11.0 + ports: + - "4455:4455" environment: + - PORT=4455 + - SECURITY_MODE= - KRATOS_PUBLIC_URL=http://kratos:4433/ - KRATOS_BROWSER_URL=http://127.0.0.1:4433/ networks: - intranet restart: on-failure + kratos: depends_on: - kratos-migrate @@ -33,7 +39,7 @@ services: - '4434:4434' # admin restart: unless-stopped environment: - - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 - LOG_LEVEL=trace command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier volumes: @@ -46,6 +52,18 @@ services: target: /etc/config/kratos networks: - intranet + + postgresd: + image: postgres:9.6 + ports: + - "5433:5433" + environment: + - POSTGRES_USER=kratos + - POSTGRES_PASSWORD=secret + - POSTGRES_DB=kratos + networks: + - intranet + mailslurper: image: oryd/mailslurper:latest-smtps ports: diff --git a/ory/kratos/quickstart-postgres.yml b/ory/kratos/quickstart-postgres.yml deleted file mode 100644 index abc865a1..00000000 --- a/ory/kratos/quickstart-postgres.yml +++ /dev/null @@ -1,21 +0,0 @@ -version: '3.7' - -services: - kratos-migrate: - environment: - - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 - - kratos: - environment: - - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 - - postgresd: - image: postgres:9.6 - ports: - - "5433:5433" - environment: - - POSTGRES_USER=kratos - - POSTGRES_PASSWORD=secret - - POSTGRES_DB=kratos - networks: - - intranet diff --git a/ory/kratos/quickstart-standalone.yml b/ory/kratos/quickstart-standalone.yml deleted file mode 100644 index 8c799284..00000000 --- a/ory/kratos/quickstart-standalone.yml +++ /dev/null @@ -1,10 +0,0 @@ -version: '3.7' - -services: - kratos-selfservice-ui-node: - ports: - - "4455:4455" - environment: - - PORT=4455 - - SECURITY_MODE= - - KRATOS_BROWSER_URL=http://127.0.0.1:4433/ From 77ab2841732dab9c13d87b4602662d7220f3d660 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Tue, 11 Apr 2023 12:21:18 +0530 Subject: [PATCH 04/13] - Updated Kratos version to current - Updated postgres version to current - Added methods that are explictly disabled - oidc, webauthn - Disabled changing protected profile fields --- ory/kratos/docker-compose.yml | 8 ++++---- ory/kratos/email-password/kratos.yml | 10 ++++++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ory/kratos/docker-compose.yml b/ory/kratos/docker-compose.yml index 0677ed2f..b7cbbb68 100644 --- a/ory/kratos/docker-compose.yml +++ b/ory/kratos/docker-compose.yml @@ -1,7 +1,7 @@ version: '3.7' services: kratos-migrate: - image: oryd/kratos:v0.11.0 + image: oryd/kratos:v0.11.1 environment: - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 volumes: @@ -18,7 +18,7 @@ services: - intranet kratos-selfservice-ui-node: - image: oryd/kratos-selfservice-ui-node:v0.11.0 + image: oryd/kratos-selfservice-ui-node:v0.11.1 ports: - "4455:4455" environment: @@ -33,7 +33,7 @@ services: kratos: depends_on: - kratos-migrate - image: oryd/kratos:v0.11.0 + image: oryd/kratos:v0.11.1 ports: - '4433:4433' # public - '4434:4434' # admin @@ -54,7 +54,7 @@ services: - intranet postgresd: - image: postgres:9.6 + image: postgres:15.2 ports: - "5433:5433" environment: diff --git a/ory/kratos/email-password/kratos.yml b/ory/kratos/email-password/kratos.yml index c6fbb3e9..8660c584 100644 --- a/ory/kratos/email-password/kratos.yml +++ b/ory/kratos/email-password/kratos.yml @@ -1,4 +1,4 @@ -version: v0.11.0 +version: v0.11.1 dsn: memory @@ -35,7 +35,13 @@ selfservice: enabled: true config: lifespan: 15m - + oidc: + enabled: false + webauthn: + enabled: false + profile: + enabled: false + flows: error: ui_url: http://127.0.0.1:4455/error From f56714c5e71565a2cfb2d6e72b92b0ffd1b79111 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Tue, 11 Apr 2023 14:14:00 +0530 Subject: [PATCH 05/13] - Removed kratos-sqlite volume - Added hibp password defaults --- ory/kratos/docker-compose.yml | 10 ---------- ory/kratos/email-password/kratos.yml | 1 + 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/ory/kratos/docker-compose.yml b/ory/kratos/docker-compose.yml index b7cbbb68..ec566374 100644 --- a/ory/kratos/docker-compose.yml +++ b/ory/kratos/docker-compose.yml @@ -5,10 +5,6 @@ services: environment: - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 volumes: - - type: volume - source: kratos-sqlite - target: /var/lib/sqlite - read_only: false - type: bind source: ./email-password target: /etc/config/kratos @@ -43,10 +39,6 @@ services: - LOG_LEVEL=trace command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier volumes: - - type: volume - source: kratos-sqlite - target: /var/lib/sqlite - read_only: false - type: bind source: ./email-password target: /etc/config/kratos @@ -73,5 +65,3 @@ services: - intranet networks: intranet: -volumes: - kratos-sqlite: diff --git a/ory/kratos/email-password/kratos.yml b/ory/kratos/email-password/kratos.yml index 8660c584..10e18c58 100644 --- a/ory/kratos/email-password/kratos.yml +++ b/ory/kratos/email-password/kratos.yml @@ -21,6 +21,7 @@ selfservice: config: haveibeenpwned_enabled: true ignore_network_errors: true + haveibeenpwned_host: "api.pwnedpasswords.com" min_password_length: 8 identifier_similarity_check_enabled: true totp: From 886cf9c12360958a3c62707adb0d5dff010ef215 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Tue, 11 Apr 2023 14:56:28 +0530 Subject: [PATCH 06/13] - Modified TOTP issuer --- ory/kratos/email-password/kratos.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ory/kratos/email-password/kratos.yml b/ory/kratos/email-password/kratos.yml index 10e18c58..8527058b 100644 --- a/ory/kratos/email-password/kratos.yml +++ b/ory/kratos/email-password/kratos.yml @@ -26,7 +26,7 @@ selfservice: identifier_similarity_check_enabled: true totp: config: - issuer: Kratos + issuer: Tattle enabled: true lookup_secret: enabled: true From 38f9960897fc3241211267c31af6f33785809b6d Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Wed, 12 Apr 2023 16:57:55 +0530 Subject: [PATCH 07/13] - Updated kratos-selfservice-ui-node version --- ory/kratos/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ory/kratos/docker-compose.yml b/ory/kratos/docker-compose.yml index ec566374..2f3b0f4b 100644 --- a/ory/kratos/docker-compose.yml +++ b/ory/kratos/docker-compose.yml @@ -14,7 +14,7 @@ services: - intranet kratos-selfservice-ui-node: - image: oryd/kratos-selfservice-ui-node:v0.11.1 + image: oryd/kratos-selfservice-ui-node:v0.12.6 ports: - "4455:4455" environment: From 603e0f809ab1369d52f9649e66f0f06e50259aeb Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Thu, 13 Apr 2023 15:11:39 +0530 Subject: [PATCH 08/13] - Added working Ory Oathkeeper proof of concept --- ory/kratos/docker-compose.yml | 4 +- ory/kratos/quickstart-oathkeeper.yml | 30 ++++++++++ ory/oathkeeper/access-rules.yml | 60 +++++++++++++++++++ ory/oathkeeper/id_token.jwks.json | 18 ++++++ ory/oathkeeper/oathkeeper.yml | 88 ++++++++++++++++++++++++++++ 5 files changed, 198 insertions(+), 2 deletions(-) create mode 100644 ory/kratos/quickstart-oathkeeper.yml create mode 100644 ory/oathkeeper/access-rules.yml create mode 100644 ory/oathkeeper/id_token.jwks.json create mode 100644 ory/oathkeeper/oathkeeper.yml diff --git a/ory/kratos/docker-compose.yml b/ory/kratos/docker-compose.yml index 2f3b0f4b..04e99f2f 100644 --- a/ory/kratos/docker-compose.yml +++ b/ory/kratos/docker-compose.yml @@ -15,8 +15,8 @@ services: kratos-selfservice-ui-node: image: oryd/kratos-selfservice-ui-node:v0.12.6 - ports: - - "4455:4455" + #ports: + # - "4455:4455" environment: - PORT=4455 - SECURITY_MODE= diff --git a/ory/kratos/quickstart-oathkeeper.yml b/ory/kratos/quickstart-oathkeeper.yml new file mode 100644 index 00000000..fc180312 --- /dev/null +++ b/ory/kratos/quickstart-oathkeeper.yml @@ -0,0 +1,30 @@ +version: '3.7' + +services: + kratos: + environment: + - SERVE_PUBLIC_BASE_URL=http://127.0.0.1:4455/.ory/kratos/public/ + + kratos-selfservice-ui-node: + environment: + - PORT=4435 + - KRATOS_BROWSER_URL=http://127.0.0.1:4455/.ory/kratos/public + - JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json + - SECURITY_MODE=jwks + + oathkeeper: + image: oryd/oathkeeper:v0.40 + depends_on: + - kratos + ports: + - 4455:4455 + - 4456:4456 + command: + serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml" + environment: + - LOG_LEVEL=debug + restart: on-failure + networks: + - intranet + volumes: + - ../oathkeeper:/etc/config/oathkeeper diff --git a/ory/oathkeeper/access-rules.yml b/ory/oathkeeper/access-rules.yml new file mode 100644 index 00000000..a622c2cf --- /dev/null +++ b/ory/oathkeeper/access-rules.yml @@ -0,0 +1,60 @@ +- + id: "ory:kratos:public" + upstream: + preserve_host: true + url: "http://kratos:4433" + strip_path: /.ory/kratos/public + match: + url: "http://127.0.0.1:4455/.ory/kratos/public/<**>" + methods: + - GET + - POST + - PUT + - DELETE + - PATCH + authenticators: + - + handler: noop + authorizer: + handler: allow + mutators: + - handler: noop + +- + id: "ory:kratos-selfservice-ui-node:anonymous" + upstream: + preserve_host: true + url: "http://kratos-selfservice-ui-node:4435" + match: + url: "http://127.0.0.1:4455/<{registration,welcome,recovery,verification,login,error,health/{alive,ready},**.css,**.js,**.png,}>" + methods: + - GET + authenticators: + - + handler: anonymous + authorizer: + handler: allow + mutators: + - + handler: noop + +- + id: "ory:kratos-selfservice-ui-node:protected" + upstream: + preserve_host: true + url: "http://kratos-selfservice-ui-node:4435" + match: + url: "http://127.0.0.1:4455/<{sessions,settings}>" + methods: + - GET + authenticators: + - + handler: cookie_session + authorizer: + handler: allow + mutators: + - handler: id_token + errors: + - handler: redirect + config: + to: http://127.0.0.1:4455/login diff --git a/ory/oathkeeper/id_token.jwks.json b/ory/oathkeeper/id_token.jwks.json new file mode 100644 index 00000000..5bc1ec15 --- /dev/null +++ b/ory/oathkeeper/id_token.jwks.json @@ -0,0 +1,18 @@ +{ + "keys": [ + { + "use": "sig", + "kty": "RSA", + "kid": "a2aa9739-d753-4a0d-87ee-61f101050277", + "alg": "RS256", + "n": "zpjSl0ySsdk_YC4ZJYYV-cSznWkzndTo0lyvkYmeBkW60YHuHzXaviHqonY_DjFBdnZC0Vs_QTWmBlZvPzTp4Oni-eOetP-Ce3-B8jkGWpKFOjTLw7uwR3b3jm_mFNiz1dV_utWiweqx62Se0SyYaAXrgStU8-3P2Us7_kz5NnBVL1E7aEP40aB7nytLvPhXau-YhFmUfgykAcov0QrnNY0DH0eTcwL19UysvlKx6Uiu6mnbaFE1qx8X2m2xuLpErfiqj6wLCdCYMWdRTHiVsQMtTzSwuPuXfH7J06GTo3I1cEWN8Mb-RJxlosJA_q7hEd43yYisCO-8szX0lgCasw", + "e": "AQAB", + "d": "x3dfY_rna1UQTmFToBoMn6Edte47irhkra4VSNPwwaeTTvI-oN2TO51td7vo91_xD1nw-0c5FFGi4V2UfRcudBv9LD1rHt_O8EPUh7QtAUeT3_XXgjx1Xxpqu5goMZpkTyGZ-B6JzOY3L8lvWQ_Qeia1EXpvxC-oTOjJnKZeuwIPlcoNKMRU-mIYOnkRFfnUvrDm7N9UZEp3PfI3vhE9AquP1PEvz5KTUYkubsfmupqqR6FmMUm6ulGT7guhBw9A3vxIYbYGKvXLdBvn68mENrEYxXrwmu6ITMh_y208M5rC-hgEHIAIvMu1aVW6jNgyQTunsGST3UyrSbwjI0K9UQ", + "p": "77fDvnfHRFEgyi7mh0c6fAdtMEMJ05W8NwTG_D-cSwfWipfTwJJrroWoRwEgdAg5AWGq-MNUzrubTVXoJdC2T4g1o-VRZkKKYoMvav3CvOIMzCBxBs9I_GAKr5NCSk7maksMqiCTMhmkoZ5RPuMYMY_YzxKNAbjBd9qFLfaVAqs", + "q": "3KEmPA2XQkf7dvtpY1Xkp1IfMV_UBdmYk7J6dB5BYqzviQWdEFvWaSATJ_7qV1dw0JDZynOgipp8gvoL-RepfjtArhPz41wB3J2xmBYrBr1sJ-x5eqAvMkQk2bd5KTor44e79TRIkmkFYAIdUQ5JdVXPA13S8WUZfb_bAbwaCBk", + "dp": "5uyy32AJkNFKchqeLsE6INMSp0RdSftbtfCfM86fZFQno5lA_qjOnO_avJPkTILDT4ZjqoKYxxJJOEXCffNCPPltGvbE5GrDXsUbP8k2-LgWNeoml7XFjIGEqcCFQoohQ1IK4DTDN6cmRh76C0e_Pbdh15D6TydJEIlsdGuu_kM", + "dq": "aegFNYCEojFxeTzX6vIZL2RRSt8oJKK-Be__reu0EUzYMtr5-RdMhev6phFMph54LfXKRc9ZOg9MQ4cJ5klAeDKzKpyzTukkj6U20b2aa8LTvxpZec6YuTVSxxu2Ul71IGRQijTNvVIiXWLGddk409Ub6Q7JqkyQfvdwhpWnnUk", + "qi": "P68-EwgcRy9ce_PZ75c909cU7dzCiaGcTX1psJiXmQAFBcG0msWfsyHGbllOZG27pKde78ORGJDYDNk1FqTwsogZyCP87EiBmOoqXWnMvKYfJ1DOx7x42LMAGwMD3bgQj9jgRACxFJG4n3NI6uFlFruyl_CLQzwW_rQFHshLK7Q" + } + ] +} diff --git a/ory/oathkeeper/oathkeeper.yml b/ory/oathkeeper/oathkeeper.yml new file mode 100644 index 00000000..ff8ec39c --- /dev/null +++ b/ory/oathkeeper/oathkeeper.yml @@ -0,0 +1,88 @@ +log: + level: debug + format: json + +serve: + proxy: + cors: + enabled: true + allowed_origins: + - "*" + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + allowed_headers: + - Authorization + - Content-Type + exposed_headers: + - Content-Type + allow_credentials: true + debug: true + +errors: + fallback: + - json + + handlers: + redirect: + enabled: true + config: + to: http://127.0.0.1:4455/login + when: + - + error: + - unauthorized + - forbidden + request: + header: + accept: + - text/html + json: + enabled: true + config: + verbose: true + +access_rules: + matching_strategy: glob + repositories: + - file:///etc/config/oathkeeper/access-rules.yml + +authenticators: + anonymous: + enabled: true + config: + subject: guest + + cookie_session: + enabled: true + config: + check_session_url: http://kratos:4433/sessions/whoami + preserve_path: true + extra_from: "@this" + subject_from: "identity.id" + only: + - ory_kratos_session + + noop: + enabled: true + +authorizers: + allow: + enabled: true + +mutators: + noop: + enabled: true + + id_token: + enabled: true + config: + issuer_url: http://127.0.0.1:4455/ + jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json + claims: | + { + "session": {{ .Extra | toJson }} + } From 96a15b96a585ebd0b3b7f9308de639a12135645a Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Thu, 13 Apr 2023 15:16:58 +0530 Subject: [PATCH 09/13] - Updated Ory Oathkeeper to latest version --- ory/kratos/quickstart-oathkeeper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ory/kratos/quickstart-oathkeeper.yml b/ory/kratos/quickstart-oathkeeper.yml index fc180312..10797334 100644 --- a/ory/kratos/quickstart-oathkeeper.yml +++ b/ory/kratos/quickstart-oathkeeper.yml @@ -13,7 +13,7 @@ services: - SECURITY_MODE=jwks oathkeeper: - image: oryd/oathkeeper:v0.40 + image: oryd/oathkeeper:v0.40.2 depends_on: - kratos ports: From c2a5595a15cb9ce5bceff075ccadf5f36380e0d7 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 17 Apr 2023 13:15:01 +0530 Subject: [PATCH 10/13] - Updated password hashing algorithm as per OWASP recommendation --- ory/kratos/email-password/kratos.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/ory/kratos/email-password/kratos.yml b/ory/kratos/email-password/kratos.yml index 8527058b..7840dbeb 100644 --- a/ory/kratos/email-password/kratos.yml +++ b/ory/kratos/email-password/kratos.yml @@ -101,9 +101,16 @@ ciphers: algorithm: xchacha20-poly1305 hashers: - algorithm: bcrypt - bcrypt: - cost: 12 + algorithm: argon2 + argon2: + iterations: 3 + parallelism: 1 + salt_length: 16 + key_length: 32 + expected_duration: 500ms + expected_deviation: 500ms + dedicated_memory: 1GB + memory: 128MB session: lifespan: 24h From 4b4a09f77ca44e28ec24d998da212adafa9b3a4e Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 8 May 2023 11:03:13 +0530 Subject: [PATCH 11/13] - Updated Oathkeeper version - Modified Oathkeeper config --- ory/kratos/quickstart-oathkeeper.yml | 2 +- ory/oathkeeper/oathkeeper.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ory/kratos/quickstart-oathkeeper.yml b/ory/kratos/quickstart-oathkeeper.yml index 10797334..b80e33fc 100644 --- a/ory/kratos/quickstart-oathkeeper.yml +++ b/ory/kratos/quickstart-oathkeeper.yml @@ -13,7 +13,7 @@ services: - SECURITY_MODE=jwks oathkeeper: - image: oryd/oathkeeper:v0.40.2 + image: oryd/oathkeeper:v0.40.3 depends_on: - kratos ports: diff --git a/ory/oathkeeper/oathkeeper.yml b/ory/oathkeeper/oathkeeper.yml index ff8ec39c..13457a32 100644 --- a/ory/oathkeeper/oathkeeper.yml +++ b/ory/oathkeeper/oathkeeper.yml @@ -1,6 +1,8 @@ log: level: debug format: json + leak_sensitive_values: false + redaction_text: "" serve: proxy: @@ -82,6 +84,7 @@ mutators: config: issuer_url: http://127.0.0.1:4455/ jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json + ttl: 1m claims: | { "session": {{ .Extra | toJson }} From 43c127fc3113f0c75eedde3bf80cf445042b4a2a Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 8 May 2023 17:29:22 +0530 Subject: [PATCH 12/13] - Renamed docker files - Disabled exposed kratos ports --- ory/kratos/{docker-compose.yml => docker-kratos.yml} | 10 +++++----- ...quickstart-oathkeeper.yml => docker-oathkeeper.yml} | 0 2 files changed, 5 insertions(+), 5 deletions(-) rename ory/kratos/{docker-compose.yml => docker-kratos.yml} (93%) rename ory/kratos/{quickstart-oathkeeper.yml => docker-oathkeeper.yml} (100%) diff --git a/ory/kratos/docker-compose.yml b/ory/kratos/docker-kratos.yml similarity index 93% rename from ory/kratos/docker-compose.yml rename to ory/kratos/docker-kratos.yml index 04e99f2f..b36e1012 100644 --- a/ory/kratos/docker-compose.yml +++ b/ory/kratos/docker-kratos.yml @@ -30,9 +30,9 @@ services: depends_on: - kratos-migrate image: oryd/kratos:v0.11.1 - ports: - - '4433:4433' # public - - '4434:4434' # admin + #ports: + # - '4433:4433' # public + # - '4434:4434' # admin restart: unless-stopped environment: - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 @@ -47,8 +47,8 @@ services: postgresd: image: postgres:15.2 - ports: - - "5433:5433" + #ports: + # - "5433:5433" environment: - POSTGRES_USER=kratos - POSTGRES_PASSWORD=secret diff --git a/ory/kratos/quickstart-oathkeeper.yml b/ory/kratos/docker-oathkeeper.yml similarity index 100% rename from ory/kratos/quickstart-oathkeeper.yml rename to ory/kratos/docker-oathkeeper.yml From 0a8cae9f3f567d0497fb55e928dc3ade351a3759 Mon Sep 17 00:00:00 2001 From: Sudeep Duggal <5505558+duggalsu@users.noreply.github.com> Date: Mon, 22 May 2023 16:06:05 +0530 Subject: [PATCH 13/13] Harden docker compose files - Added read_only option to containers - Dropped all container capabilities by default - Enabled no new privileges for containers - Modified log level to info - Updated postgres container version - Updated ports formatting as strings --- ory/kratos/docker-kratos.yml | 21 ++++++++++++--------- ory/kratos/docker-oathkeeper.yml | 11 ++++++++--- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/ory/kratos/docker-kratos.yml b/ory/kratos/docker-kratos.yml index b36e1012..fde2cdb6 100644 --- a/ory/kratos/docker-kratos.yml +++ b/ory/kratos/docker-kratos.yml @@ -2,6 +2,11 @@ version: '3.7' services: kratos-migrate: image: oryd/kratos:v0.11.1 + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true environment: - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 volumes: @@ -15,8 +20,6 @@ services: kratos-selfservice-ui-node: image: oryd/kratos-selfservice-ui-node:v0.12.6 - #ports: - # - "4455:4455" environment: - PORT=4455 - SECURITY_MODE= @@ -30,13 +33,15 @@ services: depends_on: - kratos-migrate image: oryd/kratos:v0.11.1 - #ports: - # - '4433:4433' # public - # - '4434:4434' # admin + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true restart: unless-stopped environment: - DSN=postgres://kratos:secret@postgresd:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4 - - LOG_LEVEL=trace + - LOG_LEVEL=info command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier volumes: - type: bind @@ -46,9 +51,7 @@ services: - intranet postgresd: - image: postgres:15.2 - #ports: - # - "5433:5433" + image: postgres:15.3 environment: - POSTGRES_USER=kratos - POSTGRES_PASSWORD=secret diff --git a/ory/kratos/docker-oathkeeper.yml b/ory/kratos/docker-oathkeeper.yml index b80e33fc..d7db8921 100644 --- a/ory/kratos/docker-oathkeeper.yml +++ b/ory/kratos/docker-oathkeeper.yml @@ -14,15 +14,20 @@ services: oathkeeper: image: oryd/oathkeeper:v0.40.3 + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true depends_on: - kratos ports: - - 4455:4455 - - 4456:4456 + - "4455:4455" + - "4456:4456" command: serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml" environment: - - LOG_LEVEL=debug + - LOG_LEVEL=info restart: on-failure networks: - intranet