[go: up one dir, main page]
Skip to content

Add observability message validator component

Dakota Duxrequested to merge
dakotadux/o11y-login-frontend-add-message-validator into master

What does this MR do and why?

This MR adds a MessageValidator that validates messages coming from the react app in the iframe used to log a user into the react app. This will be used by the updates that will be introduced in !197536 (merged)

Related MR Slicing

This MR is a slice of a feature that logs a user into the o11y service. Here are the related slices

  1. Add observability message validator component (!199631 - merged) <- you are here
  2. Add observability crypto utils (!199632 - closed)
  3. Log a user into the O11y service react app (!197536 - merged) <- full functionality here

The overall sequence looks like this:

sequenceDiagram
    participant RC as Rails Controller
    participant OB as O11y Backend
    participant RV as Rails View
    participant VC as Vue Component
    participant RA as React App (iframe)

    RC->>OB: POST /auth/login<br/>{email, password}
    OB-->>RC: 200 OK<br/>{jwt: "eyJ0eXAi..."}
    
    RC->>RV: render view<br/>@data = tokens, encryption key...
    RV-->>RC: HTML with JWT in data attribute
    
    RC->>VC: serve page with<br/>Vue component
    RV->>VC: mount component<br/>data-jwt="eyJ0eXAi..."
    
    VC->>RA: create iframe<br/>src="app.html"
    RA-->>VC: iframe loaded<br/>ready event
    VC->>RA: postMessage<br/>{type: 'AUTH_TOKEN', jwt: 'eyJ0eXAi...'}
    RA-->>VC: postMessage<br/>{type: 'AUTH_SUCCESS'}

With this change used in this part of the sequence:

sequenceDiagram
    participant VC as Vue Component
    participant RA as React App (iframe)

    RA-->>VC: iframe loaded<br/>ready event
    VC->>RA: postMessage<br/>{type: 'AUTH_TOKEN', jwt: 'eyJ0eXAi...'}
    RA-->>VC: postMessage<br/>{type: 'AUTH_SUCCESS'}

Duo generated description

This code adds a new security feature for validating messages in the observability system. It creates a MessageValidator class that acts like a security guard, checking incoming messages to ensure they come from trusted sources and haven't been tampered with or replayed by attackers.

The validator performs several security checks: it verifies messages come from the correct origin (like checking someone's ID), ensures the message structure is properly formatted, validates unique nonces to prevent replay attacks (like checking serial numbers), confirms counters match expected values, and checks timestamps to reject old or future-dated messages that might indicate attacks.

The system also includes cleanup mechanisms to prevent memory issues by removing old tracking data, and provides statistics about validation activity. Additionally, it includes comprehensive test coverage to ensure all validation scenarios work correctly, including edge cases like malformed data, wrong origins, duplicate messages, and timing attacks.

This enhancement strengthens the application's security by preventing malicious actors from sending fake or replayed messages to the observability features.

References

Update login process to use observability_group_o11y_setting table

Screenshots or screen recordings

No UI changes

How to set up and validate locally

You can verify this by testing the full experience outlined here: !197536 (merged)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dakota Dux

Merge request reports