diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ba047b..621fb4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## Unreleased +- map SAML entity IDs to SIRET (#34) - include ACR claim in ID token only if requested (#32) ## [1.0.8] - 2025-09-10 diff --git a/docker-compose.yml b/docker-compose.yml index ec1f90f..0a447ef 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -66,7 +66,7 @@ services: #OIDC_PROVIDER: https://oidc2fer-staging.beta.numerique.gouv.fr OIDC_CLIENT_ID: oidc-test-client OIDC_CLIENT_SECRET: oidc-test-secret - OIDC_SCOPES: openid,uid,given_name,usual_name,email + OIDC_SCOPES: openid,uid,given_name,usual_name,email,siret extra_hosts: - "oidc2fer.127.0.0.1.nip.io:host-gateway" diff --git a/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl index 7301ebe..2d38b2c 100644 --- a/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl @@ -36,6 +36,10 @@ satosa: "token_endpoint_auth_method": "client_secret_post" } } + SIRET_MAP: |- + { + "https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010" + } ingress: enabled: true diff --git a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl index c8964af..c5821eb 100644 --- a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl @@ -24,6 +24,11 @@ satosa: OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } } + SIRET_MAP: |- + { + "https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010" + } + ingress: enabled: true host: oidc2fer-staging.beta.numerique.gouv.fr diff --git a/src/satosa/internal_attributes.yaml b/src/satosa/internal_attributes.yaml index 6a76b29..a3b6e7a 100644 --- a/src/satosa/internal_attributes.yaml +++ b/src/satosa/internal_attributes.yaml @@ -31,3 +31,6 @@ attributes: uid: openid: - uid + siret: + openid: + - siret diff --git a/src/satosa/oidc2fer/attribute_generators/__init__.py b/src/satosa/oidc2fer/attribute_generators/__init__.py new file mode 100644 index 0000000..73c690f --- /dev/null +++ b/src/satosa/oidc2fer/attribute_generators/__init__.py @@ -0,0 +1 @@ +from .entity_id_to_siret_mapper import EntityIdToSiretMapper diff --git a/src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py b/src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py new file mode 100644 index 0000000..0b05eac --- /dev/null +++ b/src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py @@ -0,0 +1,23 @@ +import json +import logging + +from satosa.micro_services.base import ResponseMicroService + +logger = logging.getLogger(__name__) + + +class EntityIdToSiretMapper(ResponseMicroService): + def __init__(self, config, *args, **kwargs): + super().__init__(*args, **kwargs) + self.attribute = config.get("attribute", "siret") + self.mapping = json.loads(config.get("mapping_json", "{}")) + + def process(self, context, data): + entity_id = data.auth_info.issuer + if entity_id in self.mapping: + siret = self.mapping[entity_id] + logger.info("Mapping entity ID %s to SIRET %s", entity_id, siret) + data.attributes[self.attribute] = siret + else: + logger.warning("No SIRET mapping found for entity ID %s", entity_id) + return super().process(context, data) diff --git a/src/satosa/plugins/frontends/openid_connect_frontend.yaml b/src/satosa/plugins/frontends/openid_connect_frontend.yaml index 9505bad..f14c718 100644 --- a/src/satosa/plugins/frontends/openid_connect_frontend.yaml +++ b/src/satosa/plugins/frontends/openid_connect_frontend.yaml @@ -43,6 +43,7 @@ config: - uid - given_name - usual_name + - siret # Set code/token lifetimes as short as possible authorization_code_lifetime: 60 @@ -56,3 +57,5 @@ config: - given_name usual_name: - usual_name + siret: + - siret diff --git a/src/satosa/plugins/microservices/siret_mapping.yaml b/src/satosa/plugins/microservices/siret_mapping.yaml new file mode 100644 index 0000000..ef00bfc --- /dev/null +++ b/src/satosa/plugins/microservices/siret_mapping.yaml @@ -0,0 +1,5 @@ +module: oidc2fer.attribute_generators.EntityIdToSiretMapper +name: EntityIdToSiretMapper +config: + attribute: siret + mapping_json: !ENV SIRET_MAP diff --git a/src/satosa/proxy_conf.yaml b/src/satosa/proxy_conf.yaml index c6bcca1..c8127bd 100644 --- a/src/satosa/proxy_conf.yaml +++ b/src/satosa/proxy_conf.yaml @@ -17,6 +17,7 @@ MICRO_SERVICES: - plugins/microservices/primary_identifier.yaml - plugins/microservices/static_attributes.yaml - plugins/microservices/attribute_processor.yaml + - plugins/microservices/siret_mapping.yaml LOGGING: # All the logging configuration is done in the Gunicorn config, this is just # here to avoid overwriting it with the default SATOSA config diff --git a/src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py b/src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py new file mode 100644 index 0000000..2065f86 --- /dev/null +++ b/src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py @@ -0,0 +1,42 @@ +import json + +from satosa.context import Context +from satosa.internal import AuthenticationInformation, InternalData + +from oidc2fer.attribute_generators import EntityIdToSiretMapper + + +class TestEntityIdToSiretMapper: + def create_mapper(self): + mapper = EntityIdToSiretMapper( + config={ + "attribute": "siret", + "mapping_json": json.dumps( + { + "https://idp.example.fr": "12345678200010", + } + ), + }, + name="siret_mapper", + base_url="https://satosa.example.com", + ) + mapper.next = lambda ctx, data: data + return mapper + + def test_sets_siret_for_known_entityid(self): + mapper = self.create_mapper() + resp = InternalData( + auth_info=AuthenticationInformation(issuer="https://idp.example.fr") + ) + ctx = Context() + mapper.process(ctx, resp) + assert resp.attributes["siret"] == "12345678200010" + + def test_does_not_set_siret_for_unknown_entityid(self): + mapper = self.create_mapper() + resp = InternalData( + auth_info=AuthenticationInformation(issuer="https://unknown.example.fr") + ) + ctx = Context() + mapper.process(ctx, resp) + assert "siret" not in resp.attributes diff --git a/src/satosa/tests/test_e2e.py b/src/satosa/tests/test_e2e.py index cef255d..b208eff 100644 --- a/src/satosa/tests/test_e2e.py +++ b/src/satosa/tests/test_e2e.py @@ -49,6 +49,7 @@ def oidc_to_renater( "email": expected_email, "given_name": expected_given_name, "usual_name": expected_usual_name, + "siret": "12345678200010", }.items() <= userinfo.items() return id_token @@ -102,6 +103,7 @@ def pro_connect_to_renater( "email": expected_email, "given_name": expected_given_name, "usual_name": expected_usual_name, + "siret": "12345678200010", }.items() <= result.items() return result