From 469ebfae0ff383f11e262462263cc87d0665cb57 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Mon, 8 Jul 2024 19:33:08 +0200 Subject: [PATCH 1/9] docs: added metadata and auth flow --- docs/diagrams/auth_flow.svg | 873 +++++++++++++++++++++++++++++ docs/diagrams/metadata_flow.svg | 860 ++++++++++++++++++++++++++++ docs/diagrams/src/auth_flow.d2 | 67 +++ docs/diagrams/src/classes.d2 | 69 +++ docs/diagrams/src/config.d2 | 13 + docs/diagrams/src/metadata_flow.d2 | 44 ++ 6 files changed, 1926 insertions(+) create mode 100644 docs/diagrams/auth_flow.svg create mode 100644 docs/diagrams/metadata_flow.svg create mode 100644 docs/diagrams/src/auth_flow.d2 create mode 100644 docs/diagrams/src/classes.d2 create mode 100644 docs/diagrams/src/config.d2 create mode 100644 docs/diagrams/src/metadata_flow.d2 diff --git a/docs/diagrams/auth_flow.svg b/docs/diagrams/auth_flow.svg new file mode 100644 index 000000000..846e8af5c --- /dev/null +++ b/docs/diagrams/auth_flow.svg @@ -0,0 +1,873 @@ +Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4. /authorize4. /authorize4. redirect POST4. redirect POST4. Init SAMLSession Record5. perform authentication6. send and perform verification on SAML response6. send and perform verification on SAML response7. init authorization code flow8. init access session and validate state9. Sign JWT10. return JWT + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/metadata_flow.svg b/docs/diagrams/metadata_flow.svg new file mode 100644 index 000000000..25644503b --- /dev/null +++ b/docs/diagrams/metadata_flow.svg @@ -0,0 +1,860 @@ +service metadata flowuserawsvpcbucketS3cloudfrontdynamoDBoneid-service-metadata 1. send db Event 2. retrieve client metadata3. upate fileretrieve fileretrieve file + + + + + + + + + + + + + + + diff --git a/docs/diagrams/src/auth_flow.d2 b/docs/diagrams/src/auth_flow.d2 new file mode 100644 index 000000000..86fff8f51 --- /dev/null +++ b/docs/diagrams/src/auth_flow.d2 @@ -0,0 +1,67 @@ +...@classes +vars: { + d2-config: @config.config +} +direction: right + +title: { + class: title + label: Authentication flow +} + +user: { + class: user +} + +IDP: { + class: idpSPID +} +productClient: { + class: externalCloudService +} + +aws: { + class: aws + ApiGW: { + class: apigw + } + + vpc: { + class: vpc + oneid-ecs-core: { + class: ECS + } + } + + dynamoDB :{ + class: dynamo + } + + KMS: { + class: KMS + } +} + +user -> productClient: 1. Login + +productClient -> user: 2. redirect to OneIdentity + +user <-> aws.ApiGW <-> aws.vpc.oneid-ecs-core: 3. /login + +user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 4. /authorize +user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4. redirect POST +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 4. Init SAMLSession Record + + +user <-> IDP: 5. perform authentication + +user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 6. send and perform verification on SAML response + +productClient <- aws.vpc.oneid-ecs-core: 7. init authorization code flow + +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 8. init access session and validate state + +aws.vpc.oneid-ecs-core <-> aws.KMS: 9. Sign JWT + +aws.vpc.oneid-ecs-core -> productClient: 10. return JWT + diff --git a/docs/diagrams/src/classes.d2 b/docs/diagrams/src/classes.d2 new file mode 100644 index 000000000..6c5cd46a4 --- /dev/null +++ b/docs/diagrams/src/classes.d2 @@ -0,0 +1,69 @@ +classes { + *.label.near: bottom-center + *.style.border-radius: 5 + *.style.fill: transparent + + title: { + near: bottom-center + shape: text + style.font-size: 40 + style.underline: true + } + + externalCloudService: { + icon: https://icons.terrastruct.com/infra%2F022-hosting.svg + } + + user: { + icon: https://raw.githubusercontent.com/FortAwesome/Font-Awesome/6.x/svgs/regular/user.svg + } + + aws: { + label.near: bottom-center + style: { + stroke-dash: 10 + stroke: "#f4a261" + } + } + + vpc: { + label.near: top-left + style: { + stroke-dash: 4 + } + } + + apiGW { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_App-Integration/Arch_32/Arch_%20Amazon-API-Gateway_32.svg + } + + lambda: { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_AWS-Lambda_32.svg + + } + + ECS: { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_Amazon-Elastic-Container-Service_32.svg + } + + dynamo: { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Database/32/Arch_Amazon-DynamoDB_32.svg + } + + s3: { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Storage/32/Arch_Amazon-S3-on-Outposts_32.svg + } + + cloudfront: { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Networking-Content-Delivery/32/Arch_Amazon-CloudFront_32.svg + } + + KMS: { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Security-Identity-Compliance/32/Arch_AWS-Key-Management-Service_32.svg + } + + idpSPID { + shape: image + icon: https://raw.githubusercontent.com/italia/spid-graphics/master/spid-logos/spid-logo-c-lb.svg + } +} \ No newline at end of file diff --git a/docs/diagrams/src/config.d2 b/docs/diagrams/src/config.d2 new file mode 100644 index 000000000..321526591 --- /dev/null +++ b/docs/diagrams/src/config.d2 @@ -0,0 +1,13 @@ +config: { + layout-engine: elk + theme-overrides:{ + N1: "#4C566A" + N2: "#4C566A" + B1: "#5E81AC" + B2: "#81A1C1" + B3: "#81A1C1" + B4: "#81A1C1" + B5: "#81A1C1" + B6: "#88C0D0" + } +} \ No newline at end of file diff --git a/docs/diagrams/src/metadata_flow.d2 b/docs/diagrams/src/metadata_flow.d2 new file mode 100644 index 000000000..9a0e0f8f5 --- /dev/null +++ b/docs/diagrams/src/metadata_flow.d2 @@ -0,0 +1,44 @@ +...@classes +vars: { + d2-config: @config.config +} + +direction: right + +title: { + label: service metadata flow + class: title +} + +user: { + class: user +} + + +aws: { + class: aws + vpc: { + class: vpc + oneid-service-metadata: { + class: lambda + } + } + + bucketS3: { + class: s3 + } + + cloudfront: { + class: cloudfront + } + + dynamoDB :{ + class: dynamo + } +} + +aws.dynamoDB -> aws.vpc.oneid-service-metadata: 1. send db Event +aws.dynamoDB <-> aws.vpc.oneid-service-metadata: 2. retrieve client metadata +aws.vpc.oneid-service-metadata -> aws.bucketS3: 3. upate file + +user -> aws.Cloudfront -> aws.bucketS3: retrieve file From 64b3e067d1a9a71182de7e8a7258c2faf37aca48 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Mon, 15 Jul 2024 15:16:28 +0200 Subject: [PATCH 2/9] chore: uniformed syntax --- docs/diagrams/src/classes.d2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/diagrams/src/classes.d2 b/docs/diagrams/src/classes.d2 index 6c5cd46a4..ddf08fb62 100644 --- a/docs/diagrams/src/classes.d2 +++ b/docs/diagrams/src/classes.d2 @@ -1,4 +1,4 @@ -classes { +classes: { *.label.near: bottom-center *.style.border-radius: 5 *.style.fill: transparent @@ -33,7 +33,7 @@ classes { } } - apiGW { + apiGW: { icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_App-Integration/Arch_32/Arch_%20Amazon-API-Gateway_32.svg } @@ -62,7 +62,7 @@ classes { icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Security-Identity-Compliance/32/Arch_AWS-Key-Management-Service_32.svg } - idpSPID { + idpSPID: { shape: image icon: https://raw.githubusercontent.com/italia/spid-graphics/master/spid-logos/spid-logo-c-lb.svg } From 84dcae7be97dda4abea96c9d742aa6c5bdb999f4 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Fri, 11 Oct 2024 12:31:47 +0200 Subject: [PATCH 3/9] feat: improved request details, added param store, added pinning on svgs --- docs/diagrams/src/auth_flow.d2 | 27 +- docs/diagrams/src/auth_flow.svg | 878 ++++++++++++++++++++++++++++++++ docs/diagrams/src/classes.d2 | 22 +- 3 files changed, 910 insertions(+), 17 deletions(-) create mode 100644 docs/diagrams/src/auth_flow.svg diff --git a/docs/diagrams/src/auth_flow.d2 b/docs/diagrams/src/auth_flow.d2 index 86fff8f51..466f0a8b5 100644 --- a/docs/diagrams/src/auth_flow.d2 +++ b/docs/diagrams/src/auth_flow.d2 @@ -16,6 +16,7 @@ user: { IDP: { class: idpSPID } + productClient: { class: externalCloudService } @@ -37,9 +38,14 @@ aws: { class: dynamo } + parameterStore { + class: parameterStore + } + KMS: { class: KMS } + } user -> productClient: 1. Login @@ -48,20 +54,25 @@ productClient -> user: 2. redirect to OneIdentity user <-> aws.ApiGW <-> aws.vpc.oneid-ecs-core: 3. /login -user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 4. /authorize -user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4. redirect POST -aws.vpc.oneid-ecs-core -> aws.dynamoDB: 4. Init SAMLSession Record +user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 4: /authorize +aws.vpc.oneid-ecs-core -> aws.parameterStore: 4.1: retrive key pem file from parameter store +user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4.2: redirect POST +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 5: init SAMLSession record -user <-> IDP: 5. perform authentication -user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 6. send and perform verification on SAML response +user <-> IDP: 6: perform authentication -productClient <- aws.vpc.oneid-ecs-core: 7. init authorization code flow +user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 7: send and perform verification on SAML response +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 7.1: retrieve certificate data +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 7.2: update SAMLSession and initialize OIDCSession records -aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 8. init access session and validate state +productClient <- aws.vpc.oneid-ecs-core: 8: init authorization code flow +productClient -> aws.vpc.oneid-ecs-core: 8.1: send /token POST to init access token session + +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 9. init access session and validate state -aws.vpc.oneid-ecs-core <-> aws.KMS: 9. Sign JWT +aws.vpc.oneid-ecs-core <-> aws.KMS: 10. Sign JWT aws.vpc.oneid-ecs-core -> productClient: 10. return JWT diff --git a/docs/diagrams/src/auth_flow.svg b/docs/diagrams/src/auth_flow.svg new file mode 100644 index 000000000..d96a4da10 --- /dev/null +++ b/docs/diagrams/src/auth_flow.svg @@ -0,0 +1,878 @@ +Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: redirect POST4.2: redirect POST5: Init SAMLSession Record6: perform authentication7: send and perform verification on SAML response7: send and perform verification on SAML response7.1: retrieve certificate data7.2: update SAML SESSION RECORD and initialize OIDCSession record8: init authorization code flow8.1: send /token POST to init access token session9. init access session and validate state10. Sign JWT10. return JWT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/src/classes.d2 b/docs/diagrams/src/classes.d2 index ddf08fb62..1120dd61b 100644 --- a/docs/diagrams/src/classes.d2 +++ b/docs/diagrams/src/classes.d2 @@ -19,7 +19,7 @@ classes: { } aws: { - label.near: bottom-center + label.near: bottom-left style: { stroke-dash: 10 stroke: "#f4a261" @@ -27,43 +27,47 @@ classes: { } vpc: { - label.near: top-left + label.near: bottom-left style: { stroke-dash: 4 } } apiGW: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_App-Integration/Arch_32/Arch_%20Amazon-API-Gateway_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_App-Integration/Arch_32/Arch_%20Amazon-API-Gateway_32.svg } lambda: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_AWS-Lambda_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_AWS-Lambda_32.svg } ECS: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_Amazon-Elastic-Container-Service_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_Amazon-Elastic-Container-Service_32.svg } dynamo: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Database/32/Arch_Amazon-DynamoDB_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Database/32/Arch_Amazon-DynamoDB_32.svg } s3: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Storage/32/Arch_Amazon-S3-on-Outposts_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Storage/32/Arch_Amazon-S3-on-Outposts_32.svg } cloudfront: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Networking-Content-Delivery/32/Arch_Amazon-CloudFront_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Networking-Content-Delivery/32/Arch_Amazon-CloudFront_32.svg } KMS: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/main/q1-2022/Architecture-Service-Icons_01312022/Arch_Security-Identity-Compliance/32/Arch_AWS-Key-Management-Service_32.svg + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Security-Identity-Compliance/48/Arch_AWS-Key-Management-Service_48.svg } idpSPID: { shape: image icon: https://raw.githubusercontent.com/italia/spid-graphics/master/spid-logos/spid-logo-c-lb.svg } + + parameterStore { + icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Resource-Icons_01312022/Res_Management-Governance/Res_48_Light/Res_AWS-Systems-Manager_Parameter-Store_48_Light.svg + } } \ No newline at end of file From e49ff4c3e84b84cedbf07b5d17c6b78f614aca9c Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Fri, 11 Oct 2024 12:34:44 +0200 Subject: [PATCH 4/9] chore: moved auth_flow diagram svg to diagrams folder --- docs/diagrams/auth_flow.svg | 631 +++++++++++------------ docs/diagrams/src/auth_flow.svg | 878 -------------------------------- 2 files changed, 318 insertions(+), 1191 deletions(-) delete mode 100644 docs/diagrams/src/auth_flow.svg diff --git a/docs/diagrams/auth_flow.svg b/docs/diagrams/auth_flow.svg index 846e8af5c..d96a4da10 100644 --- a/docs/diagrams/auth_flow.svg +++ b/docs/diagrams/auth_flow.svg @@ -1,27 +1,27 @@ -Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4. /authorize4. /authorize4. redirect POST4. redirect POST4. Init SAMLSession Record5. perform authentication6. send and perform verification on SAML response6. send and perform verification on SAML response7. init authorization code flow8. init access session and validate state9. Sign JWT10. return JWT - - - - - - - - - - - - - - - - - - - - - - - - - - - +Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: redirect POST4.2: redirect POST5: Init SAMLSession Record6: perform authentication7: send and perform verification on SAML response7: send and perform verification on SAML response7.1: retrieve certificate data7.2: update SAML SESSION RECORD and initialize OIDCSession record8: init authorization code flow8.1: send /token POST to init access token session9. init access session and validate state10. Sign JWT10. return JWT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/src/auth_flow.svg b/docs/diagrams/src/auth_flow.svg deleted file mode 100644 index d96a4da10..000000000 --- a/docs/diagrams/src/auth_flow.svg +++ /dev/null @@ -1,878 +0,0 @@ -Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: redirect POST4.2: redirect POST5: Init SAMLSession Record6: perform authentication7: send and perform verification on SAML response7: send and perform verification on SAML response7.1: retrieve certificate data7.2: update SAML SESSION RECORD and initialize OIDCSession record8: init authorization code flow8.1: send /token POST to init access token session9. init access session and validate state10. Sign JWT10. return JWT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From 8b81ec0ce4eba043346e1df0833ec62df4ffc467 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Fri, 11 Oct 2024 12:54:22 +0200 Subject: [PATCH 5/9] fix: fixed request numbers --- docs/diagrams/auth_flow.svg | 638 +++++++++++++++++---------------- docs/diagrams/src/auth_flow.d2 | 28 +- 2 files changed, 332 insertions(+), 334 deletions(-) diff --git a/docs/diagrams/auth_flow.svg b/docs/diagrams/auth_flow.svg index d96a4da10..df37c2902 100644 --- a/docs/diagrams/auth_flow.svg +++ b/docs/diagrams/auth_flow.svg @@ -1,27 +1,27 @@ -Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: redirect POST4.2: redirect POST5: Init SAMLSession Record6: perform authentication7: send and perform verification on SAML response7: send and perform verification on SAML response7.1: retrieve certificate data7.2: update SAML SESSION RECORD and initialize OIDCSession record8: init authorization code flow8.1: send /token POST to init access token session9. init access session and validate state10. Sign JWT10. return JWT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: init SAMLSession record4.3: redirect POST4.3: redirect POST5: perform authentication6: send and perform verification on SAML response6: send and perform verification on SAML response6.1: retrieve certificate data6.2: update SAMLSession and initialize OIDCSession records7: init authorization code flow7.1: send /token POST to init access token session7.1: send /token POST to init access token session7.2: retrieve ClientRegistrations data7.3: init access session and validate state7.4: Sign JWT7.5: return JWT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/src/auth_flow.d2 b/docs/diagrams/src/auth_flow.d2 index 466f0a8b5..7f1768a6b 100644 --- a/docs/diagrams/src/auth_flow.d2 +++ b/docs/diagrams/src/auth_flow.d2 @@ -56,23 +56,19 @@ user <-> aws.ApiGW <-> aws.vpc.oneid-ecs-core: 3. /login user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 4: /authorize aws.vpc.oneid-ecs-core -> aws.parameterStore: 4.1: retrive key pem file from parameter store -user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4.2: redirect POST +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 4.2: init SAMLSession record +user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4.3: redirect POST -aws.vpc.oneid-ecs-core -> aws.dynamoDB: 5: init SAMLSession record +user <-> IDP: 5: perform authentication +user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 6: send and perform verification on SAML response +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 6.1: retrieve certificate data +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 6.2: update SAMLSession and initialize OIDCSession records -user <-> IDP: 6: perform authentication - -user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 7: send and perform verification on SAML response -aws.vpc.oneid-ecs-core -> aws.dynamoDB: 7.1: retrieve certificate data -aws.vpc.oneid-ecs-core -> aws.dynamoDB: 7.2: update SAMLSession and initialize OIDCSession records - -productClient <- aws.vpc.oneid-ecs-core: 8: init authorization code flow -productClient -> aws.vpc.oneid-ecs-core: 8.1: send /token POST to init access token session - -aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 9. init access session and validate state - -aws.vpc.oneid-ecs-core <-> aws.KMS: 10. Sign JWT - -aws.vpc.oneid-ecs-core -> productClient: 10. return JWT +productClient <- aws.vpc.oneid-ecs-core: 7: init authorization code flow +productClient -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 7.1: send /token POST to init access token session +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 7.2: retrieve ClientRegistrations data +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 7.3: init access session and validate state +aws.vpc.oneid-ecs-core <-> aws.KMS: 7.4: Sign JWT +aws.vpc.oneid-ecs-core -> productClient: 7.5: return JWT From 92dc337ad432067af9d1567c6810afef21647278 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Fri, 11 Oct 2024 14:52:17 +0200 Subject: [PATCH 6/9] feat: added infra scheme, moved icons to local storage Signed-off-by: himazawa <73994521+himazawa@users.noreply.github.com> --- docs/diagrams/auth_flow.svg | 568 +++++++++--------- docs/diagrams/icons/KMS.svg | 18 + docs/diagrams/icons/apigw.svg | 18 + docs/diagrams/icons/cloudfront.svg | 18 + docs/diagrams/icons/dynamo.svg | 18 + docs/diagrams/icons/ecs.svg | 20 + docs/diagrams/icons/github.png | Bin 0 -> 5022 bytes docs/diagrams/icons/lambda.svg | 18 + docs/diagrams/icons/pagopa.jpeg | Bin 0 -> 4465 bytes docs/diagrams/icons/paramstore.svg | 7 + docs/diagrams/icons/s3.svg | 18 + docs/diagrams/icons/spid-logo.svg | 1 + docs/diagrams/infra.svg | 885 +++++++++++++++++++++++++++++ docs/diagrams/metadata_flow.svg | 570 +++++++++---------- docs/diagrams/src/auth_flow.d2 | 2 +- docs/diagrams/src/classes.d2 | 28 +- docs/diagrams/src/infra.d2 | 114 ++++ 17 files changed, 1721 insertions(+), 582 deletions(-) create mode 100644 docs/diagrams/icons/KMS.svg create mode 100644 docs/diagrams/icons/apigw.svg create mode 100644 docs/diagrams/icons/cloudfront.svg create mode 100644 docs/diagrams/icons/dynamo.svg create mode 100644 docs/diagrams/icons/ecs.svg create mode 100644 docs/diagrams/icons/github.png create mode 100644 docs/diagrams/icons/lambda.svg create mode 100644 docs/diagrams/icons/pagopa.jpeg create mode 100644 docs/diagrams/icons/paramstore.svg create mode 100644 docs/diagrams/icons/s3.svg create mode 100644 docs/diagrams/icons/spid-logo.svg create mode 100644 docs/diagrams/infra.svg create mode 100644 docs/diagrams/src/infra.d2 diff --git a/docs/diagrams/auth_flow.svg b/docs/diagrams/auth_flow.svg index df37c2902..d48149ef5 100644 --- a/docs/diagrams/auth_flow.svg +++ b/docs/diagrams/auth_flow.svg @@ -1,26 +1,26 @@ -Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: init SAMLSession record4.3: redirect POST4.3: redirect POST5: perform authentication6: send and perform verification on SAML response6: send and perform verification on SAML response6.1: retrieve certificate data6.2: update SAMLSession and initialize OIDCSession records7: init authorization code flow7.1: send /token POST to init access token session7.1: send /token POST to init access token session7.2: retrieve ClientRegistrations data7.3: init access session and validate state7.4: Sign JWT7.5: return JWT +Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: init SAMLSession record4.3: redirect POST4.3: redirect POST5: perform authentication6: send and perform verification on SAML response6: send and perform verification on SAML response6.1: retrieve certificate data6.2: update SAMLSession and initialize OIDCSession records7: init authorization code flow7.1: send /token POST to init access token session7.1: send /token POST to init access token session7.2: retrieve ClientRegistrations data7.3: init access session and validate state7.4: Sign JWT7.5: return JWT - + diff --git a/docs/diagrams/icons/KMS.svg b/docs/diagrams/icons/KMS.svg new file mode 100644 index 000000000..94e0a9ecb --- /dev/null +++ b/docs/diagrams/icons/KMS.svg @@ -0,0 +1,18 @@ + + + + Icon-Architecture/48/Arch_AWS-Key-Management-Services_48 + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/apigw.svg b/docs/diagrams/icons/apigw.svg new file mode 100644 index 000000000..196a49756 --- /dev/null +++ b/docs/diagrams/icons/apigw.svg @@ -0,0 +1,18 @@ + + + Icon-Architecture/32/Arch_ Amazon-API-Gateway_32 + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/cloudfront.svg b/docs/diagrams/icons/cloudfront.svg new file mode 100644 index 000000000..65d1f7dc6 --- /dev/null +++ b/docs/diagrams/icons/cloudfront.svg @@ -0,0 +1,18 @@ + + + + Icon-Architecture/32/Arch_Amazon-CloudFront_32 + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/dynamo.svg b/docs/diagrams/icons/dynamo.svg new file mode 100644 index 000000000..5a67a3789 --- /dev/null +++ b/docs/diagrams/icons/dynamo.svg @@ -0,0 +1,18 @@ + + + + Icon-Architecture/32/Arch_Amazon-DynamoDB_32 + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/ecs.svg b/docs/diagrams/icons/ecs.svg new file mode 100644 index 000000000..2f2564dd8 --- /dev/null +++ b/docs/diagrams/icons/ecs.svg @@ -0,0 +1,20 @@ + + + + Icon-Architecture/32/Arch_Amazon-Elastic-Container-Service_32 + Created with Sketch. + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/github.png b/docs/diagrams/icons/github.png new file mode 100644 index 0000000000000000000000000000000000000000..d4cfe72b372a5b1d556432cd93eeca0874c576b6 GIT binary patch literal 5022 zcmZ`+WmuG5*S#4!B?X3=ff+_xS`?6yR!YPnr9--7P+(9bMY`i51SCX2=~POPFhGzT zl~P)|-+S+mRz1G@mpFb0&r=w0w1*HN2fL2pOMIU@`5WW<|;FB_j zJr8`5I4Ef=0YG&e^|2Kx_?yc{Lth&J0(k%c7X|=_U<$Vc0KTFC@Y@mqWYPhE)g!y< z_H_V&Z0l(msDcN;4-CcwMR3CqXbvtk2PZcNf}4Z$Jm3NYZWt$ukOZIL8BP=&&dZ2K zL%|Fem`B49e|Nb-1i~3EZf0IyC;|m87$F1Z!9o-Ziy#*l7nBPHBS8IcfjCeu?u$qy zD1)7#;a@cH7?cYwC@9FvDolVS(1F6x1Q1Z?{}9jwRa~GRG#q&efk6BvW#vAnIB$f| zASX8fC_bXV z3zma6f(9blxVX*_6Po>d29yUQ_)qWz1|zu228t(45S$U3U=euoe0*R)Fzv4)=T3s! z{%%2`pjvRCU=?9-gmMnPb2ACbbFmm=n#)$$Rb zBG?NjC+A;$0x8H&Xa~HO|4Ie9*f}qO7w^1~`|Rv&e+PLLyc35$`Z{+2A`V$I&#?50 z_RrHZYujn2P&%3Wsg2+E8&Vu-RYIyxgOzF6jFX0rj|LNsScxV4yG}+U$*9ZM%PT^!T#la(>S%4@s@wN0n|Rf^SX6g}ys4wiw*@{W^w> zekvEIAuIVy0H zngV~2`)F#bk}r{y(onH>a>S?r0A0SOijqOV#A*&!@oqPwmmHfK*vj`pGa9R`rKhZ- zqM>wKQS+i_qcB?~Nd{8C_(yoO{iQkK$|&l!g~W`xwv>!{Y73JL%tE)3;xikah` zZK^<#Y`b6yhlA-qM|&9(?Zd5$*%=3e?!gK-XcEM?M$f+Z+}d?eVpVg=fZ&+<4lF$v+uO6 zh)v|b3dDQyz3|Pdi)&_g@o0|U%{NeizsvOXVV&5h%R#*$i;jGVf+@Hz3g7-@AmO`u z@$q5o?$S(Wj8nzZ3!{n#&rP{fVJFyUYGkE@Eo4-iQg^pUHEX;`Zq!&)tna?ZokOD+ zL^oF_FOa(R?w^iu(Ng?!k*Smm=DMQynCya>KP+0akgVJ-h=~=W{7(T7-}D#s6!f-~ zQ?yG$=Rg29A}+7EPq1r4%*mGV%H2XWj_64dq4>;-JR0IO7TvKTie$%;GL*Dnd_nx> zPI}I_5}M4hpL>^vCw)j%pD#J=_}zb6^nTkcI=AK9FXo({`K4ajnVSp(d)U?h3yLB> z7HGlneS^4yQIcl5W*!m!uFPwiTScF)MVrXIuAR@xR!?yL$b1=FLYKF6#r1i3ZmijF zvgnTk{&3lxrY9}Owcm3Rbf;Cgo1EXuddv87UD?Ymj<}8Mb?unmTsaip^MI zM+POAE-{$@b9-b}Qr9xoF(jiYAF;4!JXYvdYS=K=KBB!Nz`1^`=ub)qAMP|YQklkJ z=oAdwzmCN2K&R3gaZR;>xRce9!CLxjg$A=0M$C-u0h)zHWV+p`R8`uzIQR6FQa`J0 zua8e{GMt9HQ{4NaQ_9KMi8+#!M}?~k#zxBwd6oPo-i65p_iBl0OvP^nEw@?AC$+I^ z%f+->NLuRTy@Xq3^?bE&;-*;sgrCi2PkW}Y@q5llD>q9{z4o7NaAb7OZJlKH-!qbO zFKoRVI%^v^vRfX;+&;g(N17@mQ#J2e>)5fjMxHey?Cm!?VBnb0Z@nbz)IvM{gLkof ztqtyFX6U#7{Qb^)wAVU?tu-dfJnlq`)JV?hAQyfp|j{aUz8`q!!XWUbMnQ zjfzvrxPkD7p`vV_1l;Zj2hj!*u2uJD#T~`P90w#2%w+k>eWz&0La8$C4h3%b22Euf z?u?D(IQyU_N%8yd`MZWu)1l8i_l#xVw}i>z*1BSfiO*>5Jy=A{s3gyN$cu@Iz3($O z2WIBtWS%-_4a$-_RWG}gGrc(gn)^EN?MrWBW@!#p(uPD&63j^@u`1VG1c&Z!E`$`V za)e5~Vh$)!cv}@Pp4xMw#Y?M;xfAqAdD+r$)>Qmn_!YCK zVQJ_Ps+tGG)8Q`_S0{eN)lmi{TC%L=sQJ zF*=#YI8&i5`ag-~0Is~ga-F*26sm?-=?I;jd=|q4;K#%uNkJ=stJ}R(dOV9!C}RMn z?Aw@nVG*nLW1Hlb_|RV$l~7zQSRx(#&`Pt`0pd9so(1uYDIHMz0en=kqt?gA#(S2^ z0|9*cc#&@mCW$8i{@U{n-0(I-WUn{{zes0eOS25{t$@FSYAQ7+pP{rn*b{-l3$M^v zRA>8_8Q4^GNQ|?mCd#a^#&uF%&&>IL#rl947!FhU3DC(7cT&-e(_B{vzO4;elb&Yh zSP2uk(3)03LI#KEm4JiUVk^=%x^aFK&NYIhqGK51r$d3Zu9ncppU_*r*HH!Z@j`xK zl_dJ#S0q4HEf(D*iQGq6FdQsELHeBbh4d{IQG2KHrI&)J`9--h)CBk*k(Z8%!>VLc zb)1NC7rv8_Wsesy^;va{HeL%wCUn(WW_4B%HNI<`xB^4QQ3JTB8HIx;vPzGW~X5E%ukB8KQBvrC2zp(F#{xxcx8{42h9XI zrj?($5qUCS4}D1NsMmymduT_V$Wn?1uzkO{iHSVOa=Wrb43Up=(}Uzd8glRuzj!Gt z4spDp(!#9#I3u}}(h(PNF1gqYL!gGGF=jY0??({S_F-9}_SJEVvl;dLj8;Z`{Ib1G2E{Lkb|wjA z22qj-uSbTl9*WnM-Y1vmY$G9eUu4XiW)*<$KEgcM>-NO$uPeSLURPsmBRh%tvPu!) zpmeJ=_(A} zony&kk=(4GYUMW~+J5f%V8R13GCUlwsIM-DT&vyF#B04K!i?LY zMpA(CwE#zS``)R!Q5JuebIzU@`*L7erG?m-whMdDuwv@gXj2^>gNf11Xw8ks*jMTs z>`i6;K?~lHFGS&iW&UyVwXdBR72^zMWIw$OzkG?&rs38D!&_T?`lDieoxSukg}n!^ z*Y#K3h>DK=3+;?&m!C}vf9`S5Qz^qd*}A^?A?fA_in%1Dz&Y4FZdE~#LDSA8Hl@vH zMBTrClC0ubr?IYX-EeZ}=DXvc3bJ})@RX*Pwp~AbN}Sp*r@o+}#Af-vhkRO(3ZZ1Z zog(~&>(@lT@4;AGd+}F)`<_@N^t1U&vpWe(n$H^K$mG{G&M|U}lkvE*p?G7Ht|8X1 zXTNO9qV(;oJ<-c10oW$BfbIO8Q5$M80DP{jTFQy|Pxie!nyn z6Jqvlt(vX4?c-Ws>W^PwujJObo~Ub8%4jdyr3D7^uN?^3M66XQaN~0sawwt3WX^B#k?2ENF(hCF7F{k#t7Qp%Pg125KUkQ~wy;sy(TG~jzVpFr5NG@@M^>P# zu8~<=$UwH+uxq(<@N;xpDNH1TUqN{8K-wbU?!1q*f9e-$=w=Oz8D=1B$>h0A9nPDs zyl&65f_4MibNX)nf+dfZ=ZPTmbn!7c+Wc!+eOTi=C;x*hACxN%>5lHUwd)6u^%7kU zAeQ?kOOw&stJyBbxV^y+l#<=oI$)idRCs602Uz=nzJ z6h2Y1B9-I%bm{?p{denZwNm*%s#xBRy>E8I{SItZ?iloYQ(n@UMYcv`)#_6Yhq+=l z_b#too!$@HVziO6LJSt!Tx zr2S_3o0s(NQSTB(OKMU*{zbs7gx&N7*&S+OcvmmSv}w$cNMCB}n;iHUIH*{b;QHGk0rxv=Afq z2b@Y$C{{8N*&`-7X3cI{JL4S@^-yHE6YCx4bfB|}PoL7cxa1CPsBif;5v&R^d8|!O zSwpHm=r^9X#*iRU)hCmfB6=IiBz_NBj03)wY=Nmd zLX;%Vmvt#muyb}<`RT~yZ=zaM`JK^z--{vERg5dU#z3l^ zn!Utc2;^#tr>Wg{jclj0Ru?DsuBm&HpKIb+>i2$Nv8X U=B%-FU;&`1s-seQ!}8I80N%xXdjJ3c literal 0 HcmV?d00001 diff --git a/docs/diagrams/icons/lambda.svg b/docs/diagrams/icons/lambda.svg new file mode 100644 index 000000000..77c67f47d --- /dev/null +++ b/docs/diagrams/icons/lambda.svg @@ -0,0 +1,18 @@ + + + + Icon-Architecture/32/Arch_AWS-Lambda_32 + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/pagopa.jpeg b/docs/diagrams/icons/pagopa.jpeg new file mode 100644 index 0000000000000000000000000000000000000000..cb11ace9c6e1d6d68f65c8f941507a36a49de583 GIT binary patch literal 4465 zcmb7HcT`hbvp=aw3rVOFI!IBfbPP?T3rdj^r3*qR(gZ=c5(ESh2%;#6l+XnvROt{z zdM`dikY1%ov2X?Xf>+;rf4p_qdi(5k&RKiPn%TeEGqaDzk7fX*fsVco00IF3i249W z9{?=?0tO#X>VQ%w>;w!3g~I4)Xy7Lp=olF2>FDVh5ojbM0)?QbN3tPN%q*;|tPD)- z9BeEcXcktMV%M6+oQ;I)P3INB{t%KoAt@s14wv8VQDg zj_v(3;51YdscTd!hPr-C{X?RDVQ?@6N&`BY02m-tA`*h6db&pZUmXAEFJxi=i*`=R z?x7Ah-!BFRrMF^&7B${$y{mM61LS2|_^a_PyB3Fd?uUA?pJrMMwR4bX(5)#w&V*}x@d2ds$|Hh@AZ!UkO#7d?|*>!19@dTopNUi-M;S3{vzBe2FHk-Q8LX=fP>Vh>IjctxQi+ zzy`u#&?RNTFuk|hMJ6t;p*){+_}uALce+JS|72&2kvMB!p7zcugfqGPWIDF$#wns| zNtybhs9tEshxa8g+Tx{)LYx&HTRmhVJyxH)v9xo3Ox5naZ^096o;fbVg<>|gZ6`P} z5j)0cot}P&=e_kjnXGqyNsS`R)UJLK&Z%J}jb&CVcxx)$w?Nz=DCStCv4OSO0AbMDl< zD|#H#J55>GkGV#lTI{RZ_qnt{xbF+g;HdVLpUFmsqK(RHk!uemTq(Y*E8Xc=UXv<` zaM}3oceVBdmhlCn_`ld%ht!^d3-jbv%(g3QH=CT@%$1G+le<*x6i@(&ngU?7aGKxP zQK5qZFcd!=Eu-nf%)%!ieb$7Kh-AI&kX0rqbe=LayZsAE>giJleRtqvFp@uYzn@Y3 z456dE)(#W#NhU-(N^Nx{hj<&0rX;P&p?^~QCOIai{3+xUchkKf$4J zx%NbTXIyzw!r*9-M7M{^P@DfN(~EjV{+?477+>c?Q@dWKMvtPYvRa11Jw%<~yhQ=_ zr=F+HP)go}me>go`_mq5HxvtIWI?lzR|DX|o;CQiVA_2WS0 zeKHJxh}@I+Q-ovVD|@XLUy7x&b&t)(IG_{cQ`%aq!xQ;D2gQO|=$cKPI=@d#%~cJD zw9G7+`*sAR@|JMF7)UbJWz9Sssgn}f&wszxA?jl?(Q)&WpJgDIQ{?Kp&mvb9XC%%| z+mmerXKi!GNVeh|FJ27CHd-YVWidK!Lv>XdNp%$rIza=a`|a$pt0*WE%`c;A;^4!~ zCm<+&_PmCfFM&nY)Y027F{_LsM;iK_N8sw<1C=1I_sDChM}Wv7=BKG%)XLn<51x?W zV)ynEPJJm1uHMQGn9+uz_ilc@K4dk}b#q>rX~*(ADbF^ssW;fYB8nI-FG_n$XW!9sRV`Aj%$NJG%L*yOB@gA}~k4_>>o{#hhDcJ`rIcZee zS*noPv8U&0C2C3n2OI992OqJ^)J&WqC3nT}X5W5f9Dv94$vxs)cJg)eQ7XHoVyb#z z1iM0)ZQtc)I#8}zY^EjB_4;8r$4}3iD0ykt)_Ix`h%ywqAwN3F z8Shj436pR?>YmF}c?R9CJFg`Rlc#F@52_c?A6_eDB=;8&F`e3MC}M{9A+Sn;{&w$6 z)Yd-~#WvS@JTttLySDPp@r%M{><=C;4#KK(URH+V3v8i{u`jtsRWpjF;i;YYeY%d< zY_Du|0+e5p7Dh+bowA=?idM@`#VYgNJris8Mzlg|%Le)_M6K_W^xhF>*&cS*?v=#cS-Ond3=Rns=zs@ z*X8Q8zTvmX>b%h%GJJEpxJ7yrzl>lxe1reH+RMwmmLNC>Pko!T+1V9|A=%BbP4N$p0+e#vYdg1{*PycwYbiI3`;&y57#p)*=*Ln30 z1bNtJ7VMqkhHK(0Lo zlhIK!eEYL(ZYl!}&JxLL>PO~n;&vNYZFWi+@zh9Y`|JCyEFZw&WI>DnE9Hdy%u>N0 z;SQ9K-;4L8N2q~p_QX5mrFUkV;p0f7i5&q;&uF8ma@3hBjF~+x?t45_-K7+=1qTPN zTJxE7V7h9jvl(Lw;bMTE%dld-vN~IlI8ll50f_NoP|amQ8Q(V{9;!|XZ$dQ)u;ShF z*>Z}Ujt-eVDQO$8N!Ak1ddwmI@RDcPYmJpalC7ms{rn36;FD(3(AktMLL5|Mz4BJb zTLXh(7ZSS(x4DLw8i2IB6J9zgrhpIO2 zX4Q7>7Y^49UQfLYJnSHL@tyHq8#db$z27WU$QDL7QVLy(Ma;?*Eu^!2Xo0 z>Hb=){-j6h?4vRIqR6YQdgo1$!g1o|Q>5r-k>31sBkY4-s>^*!5pe9rK+B1WM! zyY-&p!8~HlNlp!=`@Ga>`PG#I$C(bfJAnQ7`APjB2C-0M*?V@>fAPZ~Dn4BeRH<)U zV%Y;V*l4@I@$0^i@6;k@zh$?GqHUPDY+jflH6RMN zI`3C=%x^D z6rF4t+@hXY=qSokMmXgz_d0jcstLYjPAYy5yT@p+=$OGh{l5O|qHASS4x006#ZGsO zCJ~_H12)F-?q_*?Y{{GXAI9h>jUcdbo@rOTNk3eMj4115pP$Y2?)Gu*7Cqin2pB^9 zKbZqS@yj^)@M)S*HA%h-A`E-dx}>i`qTdC*EFI? z#|`uB3Cyz8IIFAHm@7|+p1yCeOeis!yScpKYKf&J;paOuT;$WXGWtB1U=an1==Y{A zyMC+&i|JIv=@NV$Qmn5YLW+t-zC2g8`EWnAV?P7&Cmm8Rh%oAX>z@wsI31cC=R=m_JiZsI+OCU{8 zgqZ9KGmY?8DL~MtD83uF&`|9Q)0ujgVU~CizPSrZ9;&bMmoBK2?&4kGq`Pk0))B>9 zjM}X{d-f5ff)_u%?y5BGqwl>3%JjyiA&W(6{P}X{!Y$;M)&djgX(QZRv#wmj1Ge1H z_Y79dtxL|!v@AAadm>R`qMXr*`f13lmLf2_Gk?wmPUx8tb5tL%vcaHy>+^%yi+7yl z8p%ydw(uv0ymjgu1s@5H3X1$6d;)q+bPDvzu=wPt+3txS%KATaPFjaQ_sC(k($SJLPkBgD)-P;q{8|}{&h10W>x1l6i*dVK{mdU+&-dUH zf4p-TJ|~>?QBPR`AV=psO0xpqV9)D-5YRv!9BeIh?$r zM7-mG*Z|u&EI_sm1^hesy<#6Pd2MczyF%op3r`z(wN7rD#^zk0>A6fPI0(aypV}yq zD4ezTzk@&duavo*;EF*M2s@-c1Pr6o-EM8dhp${;?Tkux)yenOMVxv2)rT`gPo zqrPk{wh=W-7gV~sUw-?>!QZMs=jG&S?BUGcbPg-MtvQJkI_1j^>7E>#V{XE zh`3b}FezpB&eTNNO36KueA`XKvUR3dcz1k-%uqf3^)LH!#>i--#>0&CB$ Oswv%fO^$%0_x}MQyNNRZ literal 0 HcmV?d00001 diff --git a/docs/diagrams/icons/paramstore.svg b/docs/diagrams/icons/paramstore.svg new file mode 100644 index 000000000..cf5597200 --- /dev/null +++ b/docs/diagrams/icons/paramstore.svg @@ -0,0 +1,7 @@ + + + Icon-Resource/Managment-Governance/Res_AWS-System-Manager_Parameter-Store_48_Light + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/s3.svg b/docs/diagrams/icons/s3.svg new file mode 100644 index 000000000..b178e8654 --- /dev/null +++ b/docs/diagrams/icons/s3.svg @@ -0,0 +1,18 @@ + + + Icon-Architecture/32/Arch_Amazon-S3-On-Outposts_Storage_32 + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/diagrams/icons/spid-logo.svg b/docs/diagrams/icons/spid-logo.svg new file mode 100644 index 000000000..c8d1dbdf1 --- /dev/null +++ b/docs/diagrams/icons/spid-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs/diagrams/infra.svg b/docs/diagrams/infra.svg new file mode 100644 index 000000000..fc599989a --- /dev/null +++ b/docs/diagrams/infra.svg @@ -0,0 +1,885 @@ +InfrastructureproductClientuseridentityServicesGitHubIDPawsApiGWparameterStoredynamoDBIDPMetadataAssertionsKMSvpconeid-ecs-coreoneid-lambda-client-registrationoneid-service-metadataoneid-lambda-is-gh-integrationoneid-lambda-idp-metadataoneid-lambda-assertion send API Key to request clientID and clientSecret (POST)send API Key to request clientID and clientSecret (POST)generate and store client secretrequest metadata (GET)request metadata (GET) retrieve metadataget SAML assertionsstore SAML assertionsget new IDP metadataopen PR with new IDP metadataupon PR merge, store IDP metadataget IDP metadata from bucket and store it on dbget IDP metadata from bucket and store it on dbclient authenticationclient authenticationget IDP metadatahandle client sessionget privateKey to sign JWT token + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/metadata_flow.svg b/docs/diagrams/metadata_flow.svg index 25644503b..e2c064d5e 100644 --- a/docs/diagrams/metadata_flow.svg +++ b/docs/diagrams/metadata_flow.svg @@ -1,26 +1,26 @@ -service metadata flowuserawsvpcbucketS3cloudfrontdynamoDBoneid-service-metadata 1. send db Event 2. retrieve client metadata3. upate fileretrieve fileretrieve file +service metadata flowuserawsvpcbucketS3cloudfrontdynamoDBoneid-service-metadata 1. send db Event 2. retrieve client metadata3. upate fileretrieve fileretrieve file - - + + diff --git a/docs/diagrams/src/auth_flow.d2 b/docs/diagrams/src/auth_flow.d2 index 7f1768a6b..cc4549838 100644 --- a/docs/diagrams/src/auth_flow.d2 +++ b/docs/diagrams/src/auth_flow.d2 @@ -6,7 +6,7 @@ direction: right title: { class: title - label: Authentication flow + label: Authentication flow } user: { diff --git a/docs/diagrams/src/classes.d2 b/docs/diagrams/src/classes.d2 index 1120dd61b..34b6bfd47 100644 --- a/docs/diagrams/src/classes.d2 +++ b/docs/diagrams/src/classes.d2 @@ -34,40 +34,44 @@ classes: { } apiGW: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_App-Integration/Arch_32/Arch_%20Amazon-API-Gateway_32.svg - } + icon: ../icons/apigw.svg} lambda: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_AWS-Lambda_32.svg - + icon: ../icons/lambda.svg } ECS: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Compute/32/Arch_Amazon-Elastic-Container-Service_32.svg - } + icon: ../icons/ecs.svg } dynamo: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Database/32/Arch_Amazon-DynamoDB_32.svg + icon: ../icons/dynamo.svg } s3: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Storage/32/Arch_Amazon-S3-on-Outposts_32.svg + icon: ../icons/s3.svg } cloudfront: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Networking-Content-Delivery/32/Arch_Amazon-CloudFront_32.svg + icon: ../icons/cloudfront.svg } KMS: { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Architecture-Service-Icons_01312022/Arch_Security-Identity-Compliance/48/Arch_AWS-Key-Management-Service_48.svg + icon: ../icons/KMS.svg } idpSPID: { shape: image - icon: https://raw.githubusercontent.com/italia/spid-graphics/master/spid-logos/spid-logo-c-lb.svg + icon: ../icons/spid-logo.svg } parameterStore { - icon: https://raw.githubusercontent.com/weibeld/aws-icons-svg/5e0e14e5472f1eefed879d7ea7e1d79652858d14/q1-2022/Resource-Icons_01312022/Res_Management-Governance/Res_48_Light/Res_AWS-Systems-Manager_Parameter-Store_48_Light.svg + icon: ../icons/paramstore.svg } + + github { + icon: ../icons/github.png + } + + identityServices { + icon: ../icons/pagopa.jpeg } } \ No newline at end of file diff --git a/docs/diagrams/src/infra.d2 b/docs/diagrams/src/infra.d2 new file mode 100644 index 000000000..ba91dd0d2 --- /dev/null +++ b/docs/diagrams/src/infra.d2 @@ -0,0 +1,114 @@ +...@classes +vars: { + d2-config: @config.config +} +direction: right + +title: { + class: title + label: Infrastructure +} + +productClient: { + class: externalCloudService +} + +user: { + class: user +} + +identityServices: { + class: identityServices +} + +GitHub: { + class: github +} + +IDP: { + class: idpSPID +} + +aws: { + class: aws + ApiGW: { + class: apigw + } + + parameterStore { + class: parameterStore + } + + dynamoDB :{ + class: dynamo + } + + IDPMetadata: { + class: s3 + } + + Assertions: { + class: s3 + } + + KMS: { + class: KMS + } + + vpc: { + class: vpc + + oneid-ecs-core: { + class: ECS + } + + oneid-lambda-client-registration: { + class: lambda + } + oneid-service-metadata: { + class: lambda + } + + oneid-lambda-is-gh-integration: { + class: lambda + } + + oneid-lambda-idp-metadata: { + class: lambda + } + + oneid-lambda-assertion: { + class: lambda + } + } +} + +productClient -> aws.ApiGW -> aws.vpc.oneid-lambda-client-registration: send API Key to request clientID and clientSecret (POST) +aws.vpc.oneid-lambda-client-registration -> aws.dynamoDB: generate and store client secret + +user -> aws.ApiGW -> aws.vpc.oneid-service-metadata: request metadata (GET) +aws.vpc.oneid-service-metadata <-> aws.dynamoDB: retrieve metadata + +aws.vpc.oneid-lambda-assertion <-> aws.dynamoDB: get SAML assertions +aws.Assertions <- aws.vpc.oneid-lambda-assertion: store SAML assertions + + +IdentityServices <-> aws.vpc.oneid-lambda-is-gh-integration: get new IDP metadata +github <- aws.vpc.oneid-lambda-is-gh-integration : open PR with new IDP metadata +github -> aws.IDPMetadata: upon PR merge, store IDP metadata +aws.IDPMetadata -> aws.vpc.oneid-lambda-idp-metadata -> aws.dynamoDB : get IDP metadata from bucket and store it on db + +productClient <-> aws.ApiGW <-> aws.vpc.oneid-ecs-core: client authentication +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: get IDP metadata +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: handle client session +aws.vpc.oneid-ecs-core <-> aws.parameterStore: get privateKey to sign JWT token + + + + + + + + + + From 9ee2e0b71deef3f65c3f7dc7b2db8b2d923e2b38 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Fri, 11 Oct 2024 14:57:35 +0200 Subject: [PATCH 7/9] chore: rebuild auth-flow --- docs/diagrams/auth_flow.svg | 638 ++++++++++++++++----------------- docs/diagrams/src/auth_flow.d2 | 29 +- 2 files changed, 334 insertions(+), 333 deletions(-) diff --git a/docs/diagrams/auth_flow.svg b/docs/diagrams/auth_flow.svg index d48149ef5..e045cb42e 100644 --- a/docs/diagrams/auth_flow.svg +++ b/docs/diagrams/auth_flow.svg @@ -1,27 +1,27 @@ -Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: init SAMLSession record4.3: redirect POST4.3: redirect POST5: perform authentication6: send and perform verification on SAML response6: send and perform verification on SAML response6.1: retrieve certificate data6.2: update SAMLSession and initialize OIDCSession records7: init authorization code flow7.1: send /token POST to init access token session7.1: send /token POST to init access token session7.2: retrieve ClientRegistrations data7.3: init access session and validate state7.4: Sign JWT7.5: return JWT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Authentication flowuserIDPproductClientawsApiGWvpcdynamoDBparameterStoreKMSoneid-ecs-core 1. Login2. redirect to OneIdentity 3. /login3. /login4: /authorize4: /authorize4.1: retrive key pem file from parameter store4.2: redirect POST4.2: redirect POST5: init SAMLSession record6: perform authentication7: send and perform verification on SAML response7: send and perform verification on SAML response7.1: retrieve certificate data7.2: update SAMLSession and initialize OIDCSession records8: init authorization code flow8.1: send /token POST to init access token session9. init access session and validate state10. Sign JWT10. return JWT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/src/auth_flow.d2 b/docs/diagrams/src/auth_flow.d2 index cc4549838..267943c7a 100644 --- a/docs/diagrams/src/auth_flow.d2 +++ b/docs/diagrams/src/auth_flow.d2 @@ -6,7 +6,7 @@ direction: right title: { class: title - label: Authentication flow + label: Authentication flow } user: { @@ -56,19 +56,22 @@ user <-> aws.ApiGW <-> aws.vpc.oneid-ecs-core: 3. /login user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 4: /authorize aws.vpc.oneid-ecs-core -> aws.parameterStore: 4.1: retrive key pem file from parameter store -aws.vpc.oneid-ecs-core -> aws.dynamoDB: 4.2: init SAMLSession record -user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4.3: redirect POST +user <- aws.ApiGW <- aws.vpc.oneid-ecs-core: 4.2: redirect POST -user <-> IDP: 5: perform authentication +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 5: init SAMLSession record -user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 6: send and perform verification on SAML response -aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 6.1: retrieve certificate data -aws.vpc.oneid-ecs-core -> aws.dynamoDB: 6.2: update SAMLSession and initialize OIDCSession records -productClient <- aws.vpc.oneid-ecs-core: 7: init authorization code flow -productClient -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 7.1: send /token POST to init access token session -aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 7.2: retrieve ClientRegistrations data -aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 7.3: init access session and validate state -aws.vpc.oneid-ecs-core <-> aws.KMS: 7.4: Sign JWT -aws.vpc.oneid-ecs-core -> productClient: 7.5: return JWT +user <-> IDP: 6: perform authentication +user -> aws.ApiGW -> aws.vpc.oneid-ecs-core: 7: send and perform verification on SAML response +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 7.1: retrieve certificate data +aws.vpc.oneid-ecs-core -> aws.dynamoDB: 7.2: update SAMLSession and initialize OIDCSession records + +productClient <- aws.vpc.oneid-ecs-core: 8: init authorization code flow +productClient -> aws.vpc.oneid-ecs-core: 8.1: send /token POST to init access token session + +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: 9. init access session and validate state + +aws.vpc.oneid-ecs-core <-> aws.KMS: 10. Sign JWT + +aws.vpc.oneid-ecs-core -> productClient: 10. return JWT From f8c1846e534955dbce075505ba199428c695bf6a Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:38:58 +0100 Subject: [PATCH 8/9] feat: added client registration design --- docs/diagrams/client_registration.svg | 870 +++++++++++++++++++++++ docs/diagrams/src/client_registration.d2 | 60 ++ docs/diagrams/src/infra.d2 | 6 +- 3 files changed, 934 insertions(+), 2 deletions(-) create mode 100644 docs/diagrams/client_registration.svg create mode 100644 docs/diagrams/src/client_registration.d2 diff --git a/docs/diagrams/client_registration.svg b/docs/diagrams/client_registration.svg new file mode 100644 index 000000000..661d0ac6d --- /dev/null +++ b/docs/diagrams/client_registration.svg @@ -0,0 +1,870 @@ +

Legend

+
■ test
+
Client Registration FlowproductClientawsApiGWvpcdynamoDBoneid-lambda-client-registration 1. authenticate client via API key2. if authenticated, get client info3. generate clientID and client secret and store it 4. return clientID, client secret and info to client4. return clientID, client secret and info to client1. GET /OIDC/register/{clientID}2. retrieve client data3. return data to Client3. return data to Client + + + + + + + + + + + + + + + + + + + diff --git a/docs/diagrams/src/client_registration.d2 b/docs/diagrams/src/client_registration.d2 new file mode 100644 index 000000000..85628ce1a --- /dev/null +++ b/docs/diagrams/src/client_registration.d2 @@ -0,0 +1,60 @@ +...@classes +vars: { + d2-config: @config.config +} +direction: right +explanation: |md + # Legend +
■ test
+
+| { + near: top-left +} + +title: { + class: title + label: Client Registration Flow +} + +productClient: { + class: externalCloudService +} + +aws: { + class: aws + ApiGW: { + class: apigw + } + vpc: { + class: vpc + oneid-lambda-client-registration: { + class: lambda + } + } + dynamoDB :{ + class: dynamo + } +} + +productClient -> aws.ApiGW: 1. authenticate client via API key +aws.ApiGW -> aws.vpc.oneid-lambda-client-registration: 2. if authenticated, get client info +aws.vpc.oneid-lambda-client-registration -> aws.dynamoDB: 3. generate clientID and client secret and store it +productClient <- aws.ApiGW <- aws.vpc.oneid-lambda-client-registration: 4. return clientID, client secret and info to client + +productClient -> aws.ApiGW: 1. GET /OIDC/register/\{clientID\} { + style: { + font-color: green + } +} +aws.vpc.oneid-lambda-client-registration <-> aws.dynamoDB: 2. retrieve client data { + style: { + font-color: green + } +} + +productClient <- aws.ApiGW <- aws.vpc.oneid-lambda-client-registration: 3. return data to Client { + style: { + font-color: green + } +} + diff --git a/docs/diagrams/src/infra.d2 b/docs/diagrams/src/infra.d2 index ba91dd0d2..7f380555a 100644 --- a/docs/diagrams/src/infra.d2 +++ b/docs/diagrams/src/infra.d2 @@ -41,7 +41,7 @@ aws: { dynamoDB :{ class: dynamo - } + } IDPMetadata: { class: s3 @@ -83,6 +83,8 @@ aws: { } } + + productClient -> aws.ApiGW -> aws.vpc.oneid-lambda-client-registration: send API Key to request clientID and clientSecret (POST) aws.vpc.oneid-lambda-client-registration -> aws.dynamoDB: generate and store client secret @@ -99,7 +101,7 @@ github -> aws.IDPMetadata: upon PR merge, store IDP metadata aws.IDPMetadata -> aws.vpc.oneid-lambda-idp-metadata -> aws.dynamoDB : get IDP metadata from bucket and store it on db productClient <-> aws.ApiGW <-> aws.vpc.oneid-ecs-core: client authentication -aws.vpc.oneid-ecs-core <-> aws.dynamoDB: get IDP metadata +aws.vpc.oneid-ecs-core <-> aws.dynamoDB: get IDP and clients metadata aws.vpc.oneid-ecs-core <-> aws.dynamoDB: handle client session aws.vpc.oneid-ecs-core <-> aws.parameterStore: get privateKey to sign JWT token From de53afce422656781fb534cf67d91240e431f336 Mon Sep 17 00:00:00 2001 From: himazawa <73994521+himazawa@users.noreply.github.com> Date: Tue, 15 Jul 2025 11:14:06 +0200 Subject: [PATCH 9/9] Apply suggestion from @sebbalex Co-authored-by: Alessandro Sebastiani --- docs/diagrams/src/infra.d2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/diagrams/src/infra.d2 b/docs/diagrams/src/infra.d2 index 7f380555a..854193206 100644 --- a/docs/diagrams/src/infra.d2 +++ b/docs/diagrams/src/infra.d2 @@ -35,7 +35,7 @@ aws: { class: apigw } - parameterStore { + parameterStore: { class: parameterStore }