From 7f4f8b3d1db8b63502b43b691291c4e0c26ebac8 Mon Sep 17 00:00:00 2001
From: Simon Fels <simon.fels@canonical.com>
Date: Tue, 27 Aug 2024 10:25:45 +0200
Subject: [PATCH] feat: add crpyto explanation for the dashboard

---
 .custom_wordlist.txt                          |  3 ++
 explanation/cryptography/crypto_dashboard.md  | 53 +++++++++++++++++++
 .../cryptography/crypto_stream_agent.md       |  2 +-
 explanation/cryptography/landing.md           |  1 +
 4 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 explanation/cryptography/crypto_dashboard.md

diff --git a/.custom_wordlist.txt b/.custom_wordlist.txt
index 979397fb..7e84edd2 100644
--- a/.custom_wordlist.txt
+++ b/.custom_wordlist.txt
@@ -146,6 +146,7 @@ JS
 JSON
 Juju
 Juju's
+JWKS
 JWT
 kb
 keybinding
@@ -199,6 +200,7 @@ OOB
 OOM
 OpenAPI
 OpenGL
+OpenSSL
 OpenStack
 PCI
 Perfetto
@@ -210,6 +212,7 @@ powershell
 pre
 preseed
 preselected
+PyJWT
 Quickstart
 quickstart
 radv
diff --git a/explanation/cryptography/crypto_dashboard.md b/explanation/cryptography/crypto_dashboard.md
new file mode 100644
index 00000000..e52943a1
--- /dev/null
+++ b/explanation/cryptography/crypto_dashboard.md
@@ -0,0 +1,53 @@
+(exp-security-crypto-dashboard)=
+# Dashboard
+
+The Anbox Cloud Dashboard (dashboard) is using cryptographic technology for:
+
+* TLS transport encryption
+* Registration of new users
+* User authentication
+* Mutual TLS based authentication
+
+## TLS transport encryption
+
+All network endpoints exposed by the dashboard are secured with TLS using an 4096 bit RSA key. The dashboard strictly enforces TLS 1.2 or later and does not provide backward compatibility with older TLS versions.
+
+## Registration of new users
+
+For registering a new user, a token is generated using the [PyJWT](https://github.com/jpadilla/pyjwt) library.
+
+1. The token includes the user's email and the token's validity period as payload data. This `payload` dictionary is passed to the `encode()` function from the PyJWT library.
+1. A secret key is used to sign the token. The [HMAC](https://www.okta.com/identity-101/hmac/) SHA-256 algorithm is used in the signing process.
+1. The `encode()` function returns a [JWT](https://jwt.io/), which is a string representing the encoded and signed payload data.
+
+The dashboard uses PyJWT to decode the token after it has been presented by the user, verifies its validity and checks its expiration:
+
+1. The token, in the form of a JWT string, is passed to the `decode()` function from the PyJWT library.
+1. The secret key is used to verify the token's signature and the expected signing algorithm for the token is [HMAC](https://www.okta.com/identity-101/hmac/) SHA-256.
+1. The `decode()` function verifies the token's signature using the secret key and algorithm. If verification is successful, it decodes the token and returns the original payload dictionary.
+
+## User authentication
+
+When authenticating with an external identity provider, the following actions are performed:
+
+Retrieving ID Tokens
+  : ID tokens, which contain the user's email and full name, are obtained from the authentication server.
+
+Decoding Unverified Headers
+  : Initially, the `get_unverified_header()` function from [`python-jose`](https://github.com/mpdavis/python-jose/) is used to decode the token's unverified headers and extract the key ID.
+
+Fetching and Caching JWKS
+  : The JSON Web Key Set (JWKS) is fetched from the JWKS endpoint and is cached. For subsequent requests, the cached JWKS is checked for a key matching the key ID in the token. If the key is not found in the cache, the JWKS is fetched again.
+
+Decoding the Token
+  : The `decode()` function from [`python-jose`](https://github.com/mpdavis/python-jose/) is used to decode the token. This process uses the JWKS containing the key ID and verifies the audience.
+
+## Mutual TLS based authentication
+
+The dashboard uses mutual TLS authentication to establish a trusted TLS communication channel with the Anbox management Service (AMS) to communicate with the AMS API. To do this, the dashboard generates a TLS certificate using a 4096 bit RSA key.
+
+## Packages used
+
+* [PyJWT](https://github.com/jpadilla/pyjwt)
+* [`python-jose`](https://github.com/mpdavis/python-jose/)
+* [OpenSSL](https://launchpad.net/ubuntu/+source/openssl/)
\ No newline at end of file
diff --git a/explanation/cryptography/crypto_stream_agent.md b/explanation/cryptography/crypto_stream_agent.md
index 6fa96641..11ab553a 100644
--- a/explanation/cryptography/crypto_stream_agent.md
+++ b/explanation/cryptography/crypto_stream_agent.md
@@ -1,4 +1,4 @@
-(exp-security-crypto-ams)=
+(exp-security-crypto-stream-agent)=
 # Anbox Stream Agent
 
 Anbox Streaming Agent is using cryptographic technology for:
diff --git a/explanation/cryptography/landing.md b/explanation/cryptography/landing.md
index 9153378b..f77f1a6a 100644
--- a/explanation/cryptography/landing.md
+++ b/explanation/cryptography/landing.md
@@ -11,4 +11,5 @@ This information is currently available for the following components:
 
 crypto_ams
 crypto_stream_agent
+crypto_dashboard
 ```
\ No newline at end of file