✨(siret) introduce SIRET mapping from EntityID
The proxy now uses a SIRET_MAP environment variable that must contain a JSON mapping of SAML entity IDs to SIRET numbers. These SIRET numbers will be returned to OIDC clients that request the `siret` scope, in the `siret` claim.
This commit is contained in:
@@ -7,6 +7,7 @@ and this project adheres to
|
||||
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## Unreleased
|
||||
- map SAML entity IDs to SIRET (#34)
|
||||
- include ACR claim in ID token only if requested (#32)
|
||||
|
||||
## [1.0.8] - 2025-09-10
|
||||
|
||||
+1
-1
@@ -66,7 +66,7 @@ services:
|
||||
#OIDC_PROVIDER: https://oidc2fer-staging.beta.numerique.gouv.fr
|
||||
OIDC_CLIENT_ID: oidc-test-client
|
||||
OIDC_CLIENT_SECRET: oidc-test-secret
|
||||
OIDC_SCOPES: openid,uid,given_name,usual_name,email
|
||||
OIDC_SCOPES: openid,uid,given_name,usual_name,email,siret
|
||||
extra_hosts:
|
||||
- "oidc2fer.127.0.0.1.nip.io:host-gateway"
|
||||
|
||||
|
||||
@@ -36,6 +36,10 @@ satosa:
|
||||
"token_endpoint_auth_method": "client_secret_post"
|
||||
}
|
||||
}
|
||||
SIRET_MAP: |-
|
||||
{
|
||||
"https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010"
|
||||
}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
|
||||
@@ -24,6 +24,11 @@ satosa:
|
||||
|
||||
OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } }
|
||||
|
||||
SIRET_MAP: |-
|
||||
{
|
||||
"https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010"
|
||||
}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
host: oidc2fer-staging.beta.numerique.gouv.fr
|
||||
|
||||
@@ -31,3 +31,6 @@ attributes:
|
||||
uid:
|
||||
openid:
|
||||
- uid
|
||||
siret:
|
||||
openid:
|
||||
- siret
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
from .entity_id_to_siret_mapper import EntityIdToSiretMapper
|
||||
@@ -0,0 +1,23 @@
|
||||
import json
|
||||
import logging
|
||||
|
||||
from satosa.micro_services.base import ResponseMicroService
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class EntityIdToSiretMapper(ResponseMicroService):
|
||||
def __init__(self, config, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
self.attribute = config.get("attribute", "siret")
|
||||
self.mapping = json.loads(config.get("mapping_json", "{}"))
|
||||
|
||||
def process(self, context, data):
|
||||
entity_id = data.auth_info.issuer
|
||||
if entity_id in self.mapping:
|
||||
siret = self.mapping[entity_id]
|
||||
logger.info("Mapping entity ID %s to SIRET %s", entity_id, siret)
|
||||
data.attributes[self.attribute] = siret
|
||||
else:
|
||||
logger.warning("No SIRET mapping found for entity ID %s", entity_id)
|
||||
return super().process(context, data)
|
||||
@@ -43,6 +43,7 @@ config:
|
||||
- uid
|
||||
- given_name
|
||||
- usual_name
|
||||
- siret
|
||||
|
||||
# Set code/token lifetimes as short as possible
|
||||
authorization_code_lifetime: 60
|
||||
@@ -56,3 +57,5 @@ config:
|
||||
- given_name
|
||||
usual_name:
|
||||
- usual_name
|
||||
siret:
|
||||
- siret
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
module: oidc2fer.attribute_generators.EntityIdToSiretMapper
|
||||
name: EntityIdToSiretMapper
|
||||
config:
|
||||
attribute: siret
|
||||
mapping_json: !ENV SIRET_MAP
|
||||
@@ -17,6 +17,7 @@ MICRO_SERVICES:
|
||||
- plugins/microservices/primary_identifier.yaml
|
||||
- plugins/microservices/static_attributes.yaml
|
||||
- plugins/microservices/attribute_processor.yaml
|
||||
- plugins/microservices/siret_mapping.yaml
|
||||
LOGGING:
|
||||
# All the logging configuration is done in the Gunicorn config, this is just
|
||||
# here to avoid overwriting it with the default SATOSA config
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
import json
|
||||
|
||||
from satosa.context import Context
|
||||
from satosa.internal import AuthenticationInformation, InternalData
|
||||
|
||||
from oidc2fer.attribute_generators import EntityIdToSiretMapper
|
||||
|
||||
|
||||
class TestEntityIdToSiretMapper:
|
||||
def create_mapper(self):
|
||||
mapper = EntityIdToSiretMapper(
|
||||
config={
|
||||
"attribute": "siret",
|
||||
"mapping_json": json.dumps(
|
||||
{
|
||||
"https://idp.example.fr": "12345678200010",
|
||||
}
|
||||
),
|
||||
},
|
||||
name="siret_mapper",
|
||||
base_url="https://satosa.example.com",
|
||||
)
|
||||
mapper.next = lambda ctx, data: data
|
||||
return mapper
|
||||
|
||||
def test_sets_siret_for_known_entityid(self):
|
||||
mapper = self.create_mapper()
|
||||
resp = InternalData(
|
||||
auth_info=AuthenticationInformation(issuer="https://idp.example.fr")
|
||||
)
|
||||
ctx = Context()
|
||||
mapper.process(ctx, resp)
|
||||
assert resp.attributes["siret"] == "12345678200010"
|
||||
|
||||
def test_does_not_set_siret_for_unknown_entityid(self):
|
||||
mapper = self.create_mapper()
|
||||
resp = InternalData(
|
||||
auth_info=AuthenticationInformation(issuer="https://unknown.example.fr")
|
||||
)
|
||||
ctx = Context()
|
||||
mapper.process(ctx, resp)
|
||||
assert "siret" not in resp.attributes
|
||||
@@ -49,6 +49,7 @@ def oidc_to_renater(
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
"siret": "12345678200010",
|
||||
}.items() <= userinfo.items()
|
||||
return id_token
|
||||
|
||||
@@ -102,6 +103,7 @@ def pro_connect_to_renater(
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
"siret": "12345678200010",
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
|
||||
|
||||
Reference in New Issue
Block a user