Module: OmniauthOpenidFederation::Instrumentation

Defined in:: lib/omniauth_openid_federation/instrumentation.rb

Constant Summary collapse

EVENT_CSRF_DETECTED = Security event types

"csrf_detected"

EVENT_SIGNATURE_VERIFICATION_FAILED =

"signature_verification_failed"

EVENT_DECRYPTION_FAILED =

"decryption_failed"

EVENT_TOKEN_VALIDATION_FAILED =

"token_validation_failed"

EVENT_KEY_ROTATION_DETECTED =

"key_rotation_detected"

EVENT_KID_NOT_FOUND =

"kid_not_found"

EVENT_ENTITY_STATEMENT_VALIDATION_FAILED =

"entity_statement_validation_failed"

EVENT_FINGERPRINT_MISMATCH =

"fingerprint_mismatch"

EVENT_TRUST_CHAIN_VALIDATION_FAILED =

"trust_chain_validation_failed"

EVENT_ENDPOINT_MISMATCH =

"endpoint_mismatch"

EVENT_UNEXPECTED_AUTHENTICATION_BREAK =

"unexpected_authentication_break"

EVENT_STATE_MISMATCH =

"state_mismatch"

EVENT_MISSING_REQUIRED_CLAIMS =

"missing_required_claims"

EVENT_AUDIENCE_MISMATCH =

"audience_mismatch"

EVENT_ISSUER_MISMATCH =

"issuer_mismatch"

EVENT_EXPIRED_TOKEN =

"expired_token"

EVENT_INVALID_NONCE =

"invalid_nonce"

EVENT_AUTHENTICITY_ERROR =

"authenticity_error"

Class Method Summary collapse

.notify(event, data: {}, severity: :warning) ⇒ void

Notify about a security event.
.notify_audience_mismatch(data = {}) ⇒ void

Notify about audience mismatch.
.notify_authenticity_error(data = {}) ⇒ void

Notify about authenticity token error (OmniAuth CSRF protection).
.notify_csrf_detected(data = {}) ⇒ void

Notify about CSRF detection.
.notify_decryption_failed(data = {}) ⇒ void

Notify about decryption failure.
.notify_endpoint_mismatch(data = {}) ⇒ void

Notify about endpoint mismatch.
.notify_entity_statement_validation_failed(data = {}) ⇒ void

Notify about entity statement validation failure.
.notify_expired_token(data = {}) ⇒ void

Notify about expired token.
.notify_fingerprint_mismatch(data = {}) ⇒ void

Notify about fingerprint mismatch.
.notify_invalid_nonce(data = {}) ⇒ void

Notify about invalid nonce.
.notify_issuer_mismatch(data = {}) ⇒ void

Notify about issuer mismatch.
.notify_key_rotation_detected(data = {}) ⇒ void

Notify about key rotation detection.
.notify_kid_not_found(data = {}) ⇒ void

Notify about kid not found.
.notify_missing_required_claims(data = {}) ⇒ void

Notify about missing required claims.
.notify_signature_verification_failed(data = {}) ⇒ void

Notify about signature verification failure.
.notify_state_mismatch(data = {}) ⇒ void

Notify about state mismatch.
.notify_token_validation_failed(data = {}) ⇒ void

Notify about token validation failure.
.notify_trust_chain_validation_failed(data = {}) ⇒ void

Notify about trust chain validation failure.
.notify_unexpected_authentication_break(data = {}) ⇒ void

Notify about unexpected authentication break.

Class Method Details

.notify(event, data: {}, severity: :warning) ⇒ `void`

This method returns an undefined value.

Notify about a security event

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 58

def notify(event, data: {}, severity: :warning)
  config = Configuration.config
  return unless config.instrumentation

  # Sanitize data to remove sensitive information
  sanitized_data = sanitize_data(data)

  # Build notification payload
  payload = {
    event: event,
    severity: severity,
    timestamp: Time.now.utc.iso8601,
    data: sanitized_data
  }

  # Call the configured instrumentation callback
  begin
    if config.instrumentation.respond_to?(:call)
      config.instrumentation.call(event, payload)
    elsif config.instrumentation.respond_to?(:notify)
      config.instrumentation.notify(event, payload)
    else
      # Assume it's a logger-like object
      log_message = "[OpenID Federation Security] #{event}: #{sanitized_data.inspect}"
      case severity
      when :error
        config.instrumentation.error(log_message)
      when :warning
        config.instrumentation.warn(log_message)
      else
        config.instrumentation.info(log_message)
      end
    end
  rescue => e
    # Don't let instrumentation failures break the authentication flow
    Logger.warn("[Instrumentation] Failed to notify about #{event}: #{e.message}")
  end
end

.notify_audience_mismatch(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about audience mismatch

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 296

def notify_audience_mismatch(data = {})
  notify(
    EVENT_AUDIENCE_MISMATCH,
    data: {
      reason: "Token audience mismatch - possible MITM attack or configuration issue",
      **data
    },
    severity: :error
  )
end

.notify_authenticity_error(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about authenticity token error (OmniAuth CSRF protection)

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 356

def notify_authenticity_error(data = {})
  notify(
    EVENT_AUTHENTICITY_ERROR,
    data: {
      reason: "OmniAuth authenticity token validation failed - CSRF protection blocked request",
      **data
    },
    severity: :error
  )
end

.notify_csrf_detected(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about CSRF detection

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 101

def notify_csrf_detected(data = {})
  notify(
    EVENT_CSRF_DETECTED,
    data: {
      reason: "State parameter mismatch - possible CSRF attack",
      **data
    },
    severity: :error
  )
end

.notify_decryption_failed(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about decryption failure

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 131

def notify_decryption_failed(data = {})
  notify(
    EVENT_DECRYPTION_FAILED,
    data: {
      reason: "Token decryption failed - possible MITM attack or key mismatch",
      **data
    },
    severity: :error
  )
end

.notify_endpoint_mismatch(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about endpoint mismatch

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 236

def notify_endpoint_mismatch(data = {})
  notify(
    EVENT_ENDPOINT_MISMATCH,
    data: {
      reason: "Endpoint mismatch detected - possible MITM attack or configuration issue",
      **data
    },
    severity: :warning
  )
end

.notify_entity_statement_validation_failed(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about entity statement validation failure

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 191

def notify_entity_statement_validation_failed(data = {})
  notify(
    EVENT_ENTITY_STATEMENT_VALIDATION_FAILED,
    data: {
      reason: "Entity statement validation failed - possible tampering or MITM attack",
      **data
    },
    severity: :error
  )
end

.notify_expired_token(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about expired token

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 326

def notify_expired_token(data = {})
  notify(
    EVENT_EXPIRED_TOKEN,
    data: {
      reason: "Token expired - possible clock skew or replay attack",
      **data
    },
    severity: :warning
  )
end

.notify_fingerprint_mismatch(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about fingerprint mismatch

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 206

def notify_fingerprint_mismatch(data = {})
  notify(
    EVENT_FINGERPRINT_MISMATCH,
    data: {
      reason: "Entity statement fingerprint mismatch - possible MITM attack or tampering",
      **data
    },
    severity: :error
  )
end

.notify_invalid_nonce(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about invalid nonce

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 341

def notify_invalid_nonce(data = {})
  notify(
    EVENT_INVALID_NONCE,
    data: {
      reason: "Nonce mismatch - possible replay attack",
      **data
    },
    severity: :error
  )
end

.notify_issuer_mismatch(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about issuer mismatch

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 311

def notify_issuer_mismatch(data = {})
  notify(
    EVENT_ISSUER_MISMATCH,
    data: {
      reason: "Token issuer mismatch - possible MITM attack or configuration issue",
      **data
    },
    severity: :error
  )
end

.notify_key_rotation_detected(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about key rotation detection

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 161

def notify_key_rotation_detected(data = {})
  notify(
    EVENT_KEY_ROTATION_DETECTED,
    data: {
      reason: "Key rotation detected - kid not found in current JWKS",
      **data
    },
    severity: :warning
  )
end

.notify_kid_not_found(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about kid not found

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 176

def notify_kid_not_found(data = {})
  notify(
    EVENT_KID_NOT_FOUND,
    data: {
      reason: "Key ID not found in JWKS - possible key rotation or MITM attack",
      **data
    },
    severity: :error
  )
end

.notify_missing_required_claims(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about missing required claims

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 281

def notify_missing_required_claims(data = {})
  notify(
    EVENT_MISSING_REQUIRED_CLAIMS,
    data: {
      reason: "Token missing required claims - possible tampering or provider issue",
      **data
    },
    severity: :error
  )
end

.notify_signature_verification_failed(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about signature verification failure

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 116

def notify_signature_verification_failed(data = {})
  notify(
    EVENT_SIGNATURE_VERIFICATION_FAILED,
    data: {
      reason: "JWT signature verification failed - possible MITM attack or key rotation",
      **data
    },
    severity: :error
  )
end

.notify_state_mismatch(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about state mismatch

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 266

def notify_state_mismatch(data = {})
  notify(
    EVENT_STATE_MISMATCH,
    data: {
      reason: "State parameter mismatch - possible CSRF attack or session issue",
      **data
    },
    severity: :error
  )
end

.notify_token_validation_failed(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about token validation failure

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 146

def notify_token_validation_failed(data = {})
  notify(
    EVENT_TOKEN_VALIDATION_FAILED,
    data: {
      reason: "Token validation failed - possible tampering or configuration mismatch",
      **data
    },
    severity: :error
  )
end

.notify_trust_chain_validation_failed(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about trust chain validation failure

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 221

def notify_trust_chain_validation_failed(data = {})
  notify(
    EVENT_TRUST_CHAIN_VALIDATION_FAILED,
    data: {
      reason: "Trust chain validation failed - possible MITM attack or configuration issue",
      **data
    },
    severity: :error
  )
end

.notify_unexpected_authentication_break(data = {}) ⇒ `void`

This method returns an undefined value.

Notify about unexpected authentication break

# File 'lib/omniauth_openid_federation/instrumentation.rb', line 251

def notify_unexpected_authentication_break(data = {})
  notify(
    EVENT_UNEXPECTED_AUTHENTICATION_BREAK,
    data: {
      reason: "Unexpected authentication break - something that should not fail has failed",
      **data
    },
    severity: :error
  )
end