From ddc09cca5088118e93060fa499c9abf80450cfd3 Mon Sep 17 00:00:00 2001 From: Jacques ROUSSEL Date: Fri, 28 Mar 2025 14:25:00 +0100 Subject: [PATCH 01/22] =?UTF-8?q?=F0=9F=90=9B(ci)=20use=20github=20action?= =?UTF-8?q?=20for=20argocd=20webhook=20notification?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to refactor this notification between alls projetcs, we chooseto use a custom github action --- .github/workflows/docker-hub.yml | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index d77dd74..227f828 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -65,29 +65,9 @@ jobs: needs: - build-and-push steps: - - - uses: actions/create-github-app-token@v1 - id: app-token + - uses: numerique-gouv/action-argocd-webhook-notification@main + id: notify with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: "oidc2fer,secrets" - - - name: Checkout repository - uses: actions/checkout@v4 - with: - submodules: recursive - token: ${{ steps.app-token.outputs.token }} - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} - - - name: Call argocd github webhook - run: | - data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}' - sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}') - curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL + deployment_repo_path: "${{ github.repository }}" + argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}" + argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}" From 589d447f19068bc9f792e01dcb56b06676ed0848 Mon Sep 17 00:00:00 2001 From: Jacques ROUSSEL Date: Fri, 28 Mar 2025 14:40:56 +0100 Subject: [PATCH 02/22] =?UTF-8?q?=F0=9F=90=9B(ci)=20fix=20helmfile=20linte?= =?UTF-8?q?r?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Latest helmfile version breaks lots of thing. --- .github/workflows/helmfile-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helmfile-linter.yml b/.github/workflows/helmfile-linter.yml index 5e37fa3..d018e65 100644 --- a/.github/workflows/helmfile-linter.yml +++ b/.github/workflows/helmfile-linter.yml @@ -10,7 +10,7 @@ jobs: helmfile-lint: runs-on: ubuntu-latest container: - image: ghcr.io/helmfile/helmfile:latest + image: ghcr.io/helmfile/helmfile:v0.171.0 steps: - uses: numerique-gouv/action-helmfile-lint@main From bf015c923840c079ded40d2185333d5ce1edda73 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 7 May 2025 12:21:00 +0200 Subject: [PATCH 03/22] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(docker)=20remove=20?= =?UTF-8?q?unused=20APT=20dependencies=20that=20trigger=20a=20CVE=20warnin?= =?UTF-8?q?g?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Specifically CVE-2023-45853 was flagged in our Docker image, but it is in libfreetype6 which we don't use, and is only pulled in because of a recommended depdency of `gcc` — which we don't need in any case. --- Dockerfile | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index eed08b8..125974f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,11 @@ # ---- base image to inherit from ---- -FROM python:3.11-slim-bookworm as common +FROM python:3.11.12-slim-bookworm AS common # Install xmlsec1 dependencies required for xmlsec (for SAML) # Needs to be kept before the `pip install` RUN apt-get update && \ apt-get -y upgrade && \ - apt-get install -y \ - pkg-config \ - gcc \ - xmlsec1 \ - libxml2-dev \ - libxmlsec1-dev \ - libxmlsec1-openssl && \ + apt-get install -qy --no-install-recommends xmlsec1 && \ rm -rf /var/lib/apt/lists/* # We want the most up-to-date stable pip release @@ -19,7 +13,7 @@ RUN pip install --upgrade pip ENV PYTHONUNBUFFERED=1 -# Give the "root" group the same permissions as the "root" user on /etc/passwd +# Give the "root" group the same permissions AS the "root" user on /etc/passwd # to allow a user belonging to the root group to add new users; typically the # docker user (see entrypoint). RUN chmod g=u /etc/passwd @@ -41,7 +35,7 @@ COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satos CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"] # ---- Development image ---- -FROM common as development +FROM common AS development # Playwright browsers ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers @@ -67,7 +61,7 @@ COPY ./src/satosa /app/ USER ${DOCKER_USER} # ---- Production image (keep last so it is the default target) ---- -FROM common as production +FROM common AS production # Copy oidc2fer application (see .dockerignore) COPY ./src/satosa /app/ From 96299e13864b961d632aece4f7da3f171e527461 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 7 May 2025 12:29:37 +0200 Subject: [PATCH 04/22] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20(deps)=20Bump=20guni?= =?UTF-8?q?corn=20to=2023.0.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 4 ++++ src/satosa/pyproject.toml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0cc0d0..275d80b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +- remove unused APT dependencies +- upgrade to gunicorn 23.0.0 + ## [1.0.6] - 2025-03-11 - upgrade to SATOSA 8.5.1 - allow faculty, staff, employee, researcher, teacher affiliations diff --git a/src/satosa/pyproject.toml b/src/satosa/pyproject.toml index 2c8e76f..fabe804 100644 --- a/src/satosa/pyproject.toml +++ b/src/satosa/pyproject.toml @@ -24,7 +24,7 @@ readme = "README.md" requires-python = ">=3.11" dependencies = [ "SATOSA==8.5.1", - "gunicorn==22.0.0", + "gunicorn==23.0.0", "redis==5.0.4", "JSON-log-formatter==1.0", "WhiteNoise==6.7.0", From 425365d22ae45eb5dda7ca0689e4aa30230484fa Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 7 May 2025 17:07:48 +0200 Subject: [PATCH 05/22] v1.0.7 release --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 275d80b..cb4eaf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## Unreleased +## [1.0.7] - 2025-05-07 - remove unused APT dependencies - upgrade to gunicorn 23.0.0 From 8cd89621b2117f55ce6dff8274bbe847f27d6867 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 7 May 2025 17:08:42 +0200 Subject: [PATCH 06/22] Deploy release v1.0.7 to production. --- src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl index 11ae56a..6ed6d2d 100644 --- a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl @@ -1,7 +1,7 @@ image: repository: lasuite/oidc2fer pullPolicy: Always - tag: "v1.0.6" + tag: "v1.0.7" satosa: replicas: 2 From 38707412b39bb1d01820347d8007258568be87d1 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 10 Sep 2025 15:24:56 +0200 Subject: [PATCH 07/22] =?UTF-8?q?=F0=9F=94=A7(secrets)=20change=20secrets?= =?UTF-8?q?=20submodule=20path?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the oidcfer repo moved to a different organization the relative path to the secrets submodule needs to change. --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 0846cc2..cb96d19 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "secrets"] path = secrets - url = ../secrets + url = ../../numerique-gouv/secrets From 26878684656d63b900d5f1ad8a6687dee2f868e1 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 10 Sep 2025 15:50:34 +0200 Subject: [PATCH 08/22] =?UTF-8?q?=F0=9F=93=9D(repo)=20update=20remaining?= =?UTF-8?q?=20references=20to=20numerique-gouv?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also updating CHANGELOG. --- .github/ISSUE_TEMPLATE/Support_question.md | 4 ++-- CHANGELOG.md | 5 +++++ README.md | 2 +- src/satosa/pyproject.toml | 8 ++++---- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/Support_question.md b/.github/ISSUE_TEMPLATE/Support_question.md index 3a2a5d3..dab7d18 100644 --- a/.github/ISSUE_TEMPLATE/Support_question.md +++ b/.github/ISSUE_TEMPLATE/Support_question.md @@ -9,9 +9,9 @@ We primarily use GitHub as an issue tracker. If however you're encountering an i --- -Please make sure you have read our [main Readme](https://github.com/numerique-gouv/oidc2fer). +Please make sure you have read our [main Readme](https://github.com/proconnect-gouv/oidc2fer). -Also make sure it was not already answered in [an open or close issue](https://github.com/numerique-gouv/oidc2fer/issues). +Also make sure it was not already answered in [an open or close issue](https://github.com/proconnect-gouv/oidc2fer/issues). If your question was not covered, and you feel like it should be, fire away! We'd love to improve our docs! 👌 diff --git a/CHANGELOG.md b/CHANGELOG.md index cb4eaf7..e159800 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +- fix secrets submodule path following move to `proconnect-gouv` organization +- update other references to `numerique-gouv` organization +- publish Docker images at ghcr.io/proconnect-gouv/oidc2fer + ## [1.0.7] - 2025-05-07 - remove unused APT dependencies - upgrade to gunicorn 23.0.0 diff --git a/README.md b/README.md index 4ac64a2..ea0548a 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ number and date. ## Deploying a release to production (DINUM instance) 1. Make sure the release you want to deploy has been built and appears on - https://hub.docker.com/r/lasuite/oidc2fer/tags . + https://github.com/proconnect-gouv/oidc2fer/pkgs/container/oidc2fer 2. Edit `image/tag` at the top of `src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl`. 3. Commit and push to `main`. diff --git a/src/satosa/pyproject.toml b/src/satosa/pyproject.toml index fabe804..593c0a0 100644 --- a/src/satosa/pyproject.toml +++ b/src/satosa/pyproject.toml @@ -31,10 +31,10 @@ dependencies = [ ] [project.urls] -"Bug Tracker" = "https://github.com/numerique-gouv/oidc2fer/issues/new" -"Changelog" = "https://github.com/numerique-gouv/oidc2fer/blob/main/CHANGELOG.md" -"Homepage" = "https://github.com/numerique-gouv/oidc2fer" -"Repository" = "https://github.com/numerique-gouv/oidc2fer" +"Bug Tracker" = "https://github.com/proconnect-gouv/oidc2fer/issues/new" +"Changelog" = "https://github.com/proconnect-gouv/oidc2fer/blob/main/CHANGELOG.md" +"Homepage" = "https://github.com/proconnect-gouv/oidc2fer" +"Repository" = "https://github.com/proconnect-gouv/oidc2fer" [project.optional-dependencies] dev = [ From c51c95e00720e604ddfe7b105b7d3a03185c20b7 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 10 Sep 2025 15:59:39 +0200 Subject: [PATCH 09/22] =?UTF-8?q?=F0=9F=92=9A(ci)=20fix=20CI=20jobs=20post?= =?UTF-8?q?=20org=20move?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - use the GitHub app on numerique-gouv only to access the secrets repo - inline helmfile-lint action (it only works on repos in numerique-gouv currently) - replace deprecated `git whatchanged` with `git log` - publish to ghcr.io instead of Docker Hub - rename workflows to match other proconnect-gouv repos --- .../{docker-hub.yml => build-docker.yml} | 56 +++++++++---------- .../workflows/{oidc2fer.yml => ci-tests.yml} | 40 ++++++++++++- .github/workflows/helmfile-linter.yml | 22 -------- .../env.d/staging/values.oidc2fer.yaml.gotmpl | 4 +- 4 files changed, 64 insertions(+), 58 deletions(-) rename .github/workflows/{docker-hub.yml => build-docker.yml} (50%) rename .github/workflows/{oidc2fer.yml => ci-tests.yml} (68%) delete mode 100644 .github/workflows/helmfile-linter.yml diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/build-docker.yml similarity index 50% rename from .github/workflows/docker-hub.yml rename to .github/workflows/build-docker.yml index 227f828..7b45922 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/build-docker.yml @@ -1,7 +1,6 @@ -name: Docker Hub Workflow +name: 🐳 Build docker images on: - workflow_dispatch: push: branches: - 'main' @@ -14,42 +13,37 @@ on: jobs: build-and-push: runs-on: ubuntu-latest + permissions: + packages: write steps: - - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: "oidc2fer,secrets" - - - name: Checkout repository + - name: Checkout repository uses: actions/checkout@v4 - with: - submodules: recursive - token: ${{ steps.app-token.outputs.token }} - - - name: Set up Docker Buildx + + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - - name: Docker meta + + - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: lasuite/oidc2fer - - - name: Load sops secrets - uses: rouja/actions-sops@main + images: ghcr.io/${{ github.repository }} + tags: | + type=ref,event=branch + type=ref,event=tag + type=ref,event=pr + type=sha,prefix=sha- + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + + - name: Login to Github Container Registry + uses: docker/login-action@v3 with: - secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} - - - name: Login to DockerHub - run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin - - - name: Build and push - uses: docker/build-push-action@v5 + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ github.token }} + + - name: Build and push + uses: docker/build-push-action@v6 with: context: . target: production diff --git a/.github/workflows/oidc2fer.yml b/.github/workflows/ci-tests.yml similarity index 68% rename from .github/workflows/oidc2fer.yml rename to .github/workflows/ci-tests.yml index 65a4d1a..ee35419 100644 --- a/.github/workflows/oidc2fer.yml +++ b/.github/workflows/ci-tests.yml @@ -1,4 +1,4 @@ -name: OIDC2FER Workflow +name: 💚 CI Tests on: push: @@ -23,7 +23,7 @@ jobs: run: git log - name: Enforce absence of print statements in code run: | - ! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude)**/oidc2fer.yml' | grep "print(" + ! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude).github/**' | grep "print(" - name: Check absence of fixup commits run: | ! git log | grep 'fixup!' @@ -43,7 +43,7 @@ jobs: with: fetch-depth: 0 - name: Check that the CHANGELOG has been modified in the current branch - run: git whatchanged --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG + run: git log --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG lint-changelog: runs-on: ubuntu-latest @@ -101,3 +101,37 @@ jobs: pip install --user .[dev] - name: Run tests run: ~/.local/bin/pytest + + helmfile-lint: + runs-on: ubuntu-latest + container: + image: ghcr.io/helmfile/helmfile:v0.171.0 + steps: + - + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: numerique-gouv + repositories: secrets + - + name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} + - + name: Helmfile lint + shell: bash + run: | + mkdir -p ~/.config/sops/age/ + echo ${{ secrets.SOPS_PRIVATE }} > ~/.config/sops/age/keys.txt + set -e + HELMFILE=src/helm/helmfile.yaml + environments=$(awk '/environments:/ {flag=1; next} flag && NF {print} !NF {flag=0}' "$HELMFILE" | grep -E '^[[:space:]]{2}[a-zA-Z]+' | sed 's/^[[:space:]]*//;s/:.*//') + for env in $environments; do + echo "################### $env lint ###################" + helmfile -e $env -f src/helm/helmfile.yaml lint || exit 1 + echo -e "\n" + done diff --git a/.github/workflows/helmfile-linter.yml b/.github/workflows/helmfile-linter.yml deleted file mode 100644 index d018e65..0000000 --- a/.github/workflows/helmfile-linter.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Helmfile lint -run-name: Helmfile lint - -on: - pull_request: - branches: - - 'main' - -jobs: - helmfile-lint: - runs-on: ubuntu-latest - container: - image: ghcr.io/helmfile/helmfile:v0.171.0 - steps: - - - uses: numerique-gouv/action-helmfile-lint@main - with: - app-id: ${{ secrets.APP_ID }} - age-key: ${{ secrets.SOPS_PRIVATE }} - private-key: ${{ secrets.PRIVATE_KEY }} - helmfile-src: "src/helm" - repositories: "oidc2fer,secrets" diff --git a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl index 4b60cc3..a8e369a 100644 --- a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl @@ -1,7 +1,7 @@ image: - repository: lasuite/oidc2fer + repository: proconnect-gouv/oidc2fer pullPolicy: Always - tag: "main" + tag: "latest" satosa: replicas: 2 From 850636970c544be568ede164c38244b2190dbd20 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 10 Sep 2025 18:06:02 +0200 Subject: [PATCH 10/22] =?UTF-8?q?=F0=9F=9A=80(staging)=20add=20missing=20g?= =?UTF-8?q?hcr.io=20prefix=20to=20image=20name?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without a registry name, Docker Hub is still the default. --- src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl index a8e369a..c8964af 100644 --- a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl @@ -1,5 +1,5 @@ image: - repository: proconnect-gouv/oidc2fer + repository: ghcr.io/proconnect-gouv/oidc2fer pullPolicy: Always tag: "latest" From 1bceed13731390045c207c73c5af49c00f0c4061 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 7 May 2025 17:07:48 +0200 Subject: [PATCH 11/22] v1.0.8 release --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e159800..b7796f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## Unreleased +## [1.0.8] - 2025-09-10 - fix secrets submodule path following move to `proconnect-gouv` organization - update other references to `numerique-gouv` organization - publish Docker images at ghcr.io/proconnect-gouv/oidc2fer From 445485ecc5812f04b8986b27522b3a6e98c9d54b Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 10 Sep 2025 18:19:49 +0200 Subject: [PATCH 12/22] Deploy release 1.0.8 to production --- src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl index 6ed6d2d..d626f0b 100644 --- a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl @@ -1,7 +1,7 @@ image: repository: lasuite/oidc2fer pullPolicy: Always - tag: "v1.0.7" + tag: "v1.0.8" satosa: replicas: 2 From 3ecbf1a5a0b76ad443533d2629e2087ac51d08ac Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 10 Sep 2025 18:23:52 +0200 Subject: [PATCH 13/22] Fix docker registry for production --- src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl index d626f0b..e006f66 100644 --- a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl @@ -1,5 +1,5 @@ image: - repository: lasuite/oidc2fer + repository: ghcr.io/proconnect-gouv/oidc2fer pullPolicy: Always tag: "v1.0.8" From 7b1571b0ed8db7e7f235e09807d2b1828c1bb1ec Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Mon, 18 Aug 2025 15:26:03 +0200 Subject: [PATCH 14/22] =?UTF-8?q?=E2=9C=85(e2e)=20fix=20e2e=20test=20to=20?= =?UTF-8?q?more=20reliably=20select=20test=20IdP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The list of IdPs on the RENATER test federation seems to have grown enough that the test IdP we want is no longer displayed by default, so we have to search for it. --- src/satosa/tests/test_e2e.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/satosa/tests/test_e2e.py b/src/satosa/tests/test_e2e.py index 20ab6fa..1635864 100644 --- a/src/satosa/tests/test_e2e.py +++ b/src/satosa/tests/test_e2e.py @@ -20,6 +20,7 @@ def renater_test_idp(page, login): def renater_wayf(page): page.get_by_text("Veuillez sélectionner").click() + page.get_by_role("searchbox").fill("GIP RENATER - IdP de test") page.get_by_role("option", name="GIP RENATER - IdP de test", exact=True).click() page.get_by_role("button", name="Sélection").click() From a8bf8f61b4a22837a421550266fe2f94b0265e0d Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 17 Sep 2025 15:27:54 +0200 Subject: [PATCH 15/22] =?UTF-8?q?=F0=9F=90=9B(oidc)=20stop=20forcing=20id?= =?UTF-8?q?=5Ftoken=20'acr'=20claim?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There is a regression in pyop 3.4.2 which causes the configured extra_id_token_claims to be ignored. Fortunately, ProConnect Core now requests the required `acr` claim explicitly, so it is no longer necessary to force it. The OIDC test client was updated to request the `acr` claim in the same way that ProConnect does it. --- CHANGELOG.md | 3 +++ docker/oidc-test-client/app.py | 6 ++---- src/satosa/plugins/frontends/openid_connect_frontend.yaml | 5 ----- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7796f3..0ba047b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +- include ACR claim in ID token only if requested (#32) + ## [1.0.8] - 2025-09-10 - fix secrets submodule path following move to `proconnect-gouv` organization - update other references to `numerique-gouv` organization diff --git a/docker/oidc-test-client/app.py b/docker/oidc-test-client/app.py index 201a4db..d6ac74c 100644 --- a/docker/oidc-test-client/app.py +++ b/docker/oidc-test-client/app.py @@ -2,13 +2,10 @@ from flask import Flask, jsonify, request, session from oic.oic import Client from oic.utils.authn.client import CLIENT_AUTHN_METHOD from oic import rndstr -from oic.oic.message import RegistrationResponse +from oic.oic.message import Claims, ClaimsRequest, RegistrationResponse from oic.utils.http_util import Redirect from oic.oic.message import AuthorizationResponse import secrets -import webbrowser -import threading -import time import logging import os @@ -52,6 +49,7 @@ def index(): "nonce": session["nonce"], "redirect_uri": client.registration_response["redirect_uris"][0], "state": session["state"], + "claims": ClaimsRequest(id_token=Claims(acr=None, amr=None)), } ) login_url = auth_req.request(client.authorization_endpoint) diff --git a/src/satosa/plugins/frontends/openid_connect_frontend.yaml b/src/satosa/plugins/frontends/openid_connect_frontend.yaml index 8bf9d66..9505bad 100644 --- a/src/satosa/plugins/frontends/openid_connect_frontend.yaml +++ b/src/satosa/plugins/frontends/openid_connect_frontend.yaml @@ -56,8 +56,3 @@ config: - given_name usual_name: - usual_name - extra_id_token_claims: - oidc-test-client: - - acr - agent-connect: - - acr From a56ce17b3477c7dc3b7c7e3b8d1361123a24594d Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 17 Sep 2025 15:23:47 +0200 Subject: [PATCH 16/22] =?UTF-8?q?=E2=AC=86=EF=B8=8F(oidc-test-client)=20up?= =?UTF-8?q?grade=20oic=20to=201.7.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This mainly avoids a conflict with the oidc2fer requirements when installing both in a local virtualenv for IDE support. --- docker/oidc-test-client/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/oidc-test-client/requirements.txt b/docker/oidc-test-client/requirements.txt index 7ee47b1..9651550 100644 --- a/docker/oidc-test-client/requirements.txt +++ b/docker/oidc-test-client/requirements.txt @@ -1,2 +1,2 @@ Flask==3.0.3 -oic==1.6.1 +oic==1.7.0 From 9a33149e9e114146ddbf5aaa661cc4055f050df7 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Wed, 17 Sep 2025 15:50:45 +0200 Subject: [PATCH 17/22] =?UTF-8?q?=E2=9C=85(e2e)=20adapt=20to=20ProConnect?= =?UTF-8?q?=20error=20page=20wording=20change?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The generic message was replaced by the error code and description from the IdP. --- src/satosa/tests/test_e2e.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/satosa/tests/test_e2e.py b/src/satosa/tests/test_e2e.py index 1635864..cef255d 100644 --- a/src/satosa/tests/test_e2e.py +++ b/src/satosa/tests/test_e2e.py @@ -126,7 +126,7 @@ def test_pro_connect_to_renater_student_not_allowed(page: Page): renater_wayf(page) renater_test_idp(page, login="etudiant1") - expect(page.locator("body")).to_contain_text("Une erreur technique est survenue.") + expect(page.locator("body")).to_contain_text("access_denied") @pytest.mark.skipif( From 6c344fae0581003a704fde56052cccebb0de49c7 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Thu, 2 Oct 2025 19:16:24 +0200 Subject: [PATCH 18/22] =?UTF-8?q?=E2=9C=A8(siret)=20introduce=20SIRET=20ma?= =?UTF-8?q?pping=20from=20EntityID?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The proxy now uses a SIRET_MAP environment variable that must contain a JSON mapping of SAML entity IDs to SIRET numbers. These SIRET numbers will be returned to OIDC clients that request the `siret` scope, in the `siret` claim. --- CHANGELOG.md | 1 + docker-compose.yml | 2 +- .../env.d/dev/values.oidc2fer.yaml.gotmpl | 4 ++ .../env.d/staging/values.oidc2fer.yaml.gotmpl | 5 +++ src/satosa/internal_attributes.yaml | 3 ++ .../oidc2fer/attribute_generators/__init__.py | 1 + .../entity_id_to_siret_mapper.py | 23 ++++++++++ .../frontends/openid_connect_frontend.yaml | 3 ++ .../plugins/microservices/siret_mapping.yaml | 5 +++ src/satosa/proxy_conf.yaml | 1 + .../test_entity_id_to_siret_mapper.py | 42 +++++++++++++++++++ src/satosa/tests/test_e2e.py | 2 + 12 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 src/satosa/oidc2fer/attribute_generators/__init__.py create mode 100644 src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py create mode 100644 src/satosa/plugins/microservices/siret_mapping.yaml create mode 100644 src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ba047b..621fb4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## Unreleased +- map SAML entity IDs to SIRET (#34) - include ACR claim in ID token only if requested (#32) ## [1.0.8] - 2025-09-10 diff --git a/docker-compose.yml b/docker-compose.yml index ec1f90f..0a447ef 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -66,7 +66,7 @@ services: #OIDC_PROVIDER: https://oidc2fer-staging.beta.numerique.gouv.fr OIDC_CLIENT_ID: oidc-test-client OIDC_CLIENT_SECRET: oidc-test-secret - OIDC_SCOPES: openid,uid,given_name,usual_name,email + OIDC_SCOPES: openid,uid,given_name,usual_name,email,siret extra_hosts: - "oidc2fer.127.0.0.1.nip.io:host-gateway" diff --git a/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl index 7301ebe..2d38b2c 100644 --- a/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/dev/values.oidc2fer.yaml.gotmpl @@ -36,6 +36,10 @@ satosa: "token_endpoint_auth_method": "client_secret_post" } } + SIRET_MAP: |- + { + "https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010" + } ingress: enabled: true diff --git a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl index c8964af..c5821eb 100644 --- a/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/staging/values.oidc2fer.yaml.gotmpl @@ -24,6 +24,11 @@ satosa: OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } } + SIRET_MAP: |- + { + "https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010" + } + ingress: enabled: true host: oidc2fer-staging.beta.numerique.gouv.fr diff --git a/src/satosa/internal_attributes.yaml b/src/satosa/internal_attributes.yaml index 6a76b29..a3b6e7a 100644 --- a/src/satosa/internal_attributes.yaml +++ b/src/satosa/internal_attributes.yaml @@ -31,3 +31,6 @@ attributes: uid: openid: - uid + siret: + openid: + - siret diff --git a/src/satosa/oidc2fer/attribute_generators/__init__.py b/src/satosa/oidc2fer/attribute_generators/__init__.py new file mode 100644 index 0000000..73c690f --- /dev/null +++ b/src/satosa/oidc2fer/attribute_generators/__init__.py @@ -0,0 +1 @@ +from .entity_id_to_siret_mapper import EntityIdToSiretMapper diff --git a/src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py b/src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py new file mode 100644 index 0000000..0b05eac --- /dev/null +++ b/src/satosa/oidc2fer/attribute_generators/entity_id_to_siret_mapper.py @@ -0,0 +1,23 @@ +import json +import logging + +from satosa.micro_services.base import ResponseMicroService + +logger = logging.getLogger(__name__) + + +class EntityIdToSiretMapper(ResponseMicroService): + def __init__(self, config, *args, **kwargs): + super().__init__(*args, **kwargs) + self.attribute = config.get("attribute", "siret") + self.mapping = json.loads(config.get("mapping_json", "{}")) + + def process(self, context, data): + entity_id = data.auth_info.issuer + if entity_id in self.mapping: + siret = self.mapping[entity_id] + logger.info("Mapping entity ID %s to SIRET %s", entity_id, siret) + data.attributes[self.attribute] = siret + else: + logger.warning("No SIRET mapping found for entity ID %s", entity_id) + return super().process(context, data) diff --git a/src/satosa/plugins/frontends/openid_connect_frontend.yaml b/src/satosa/plugins/frontends/openid_connect_frontend.yaml index 9505bad..f14c718 100644 --- a/src/satosa/plugins/frontends/openid_connect_frontend.yaml +++ b/src/satosa/plugins/frontends/openid_connect_frontend.yaml @@ -43,6 +43,7 @@ config: - uid - given_name - usual_name + - siret # Set code/token lifetimes as short as possible authorization_code_lifetime: 60 @@ -56,3 +57,5 @@ config: - given_name usual_name: - usual_name + siret: + - siret diff --git a/src/satosa/plugins/microservices/siret_mapping.yaml b/src/satosa/plugins/microservices/siret_mapping.yaml new file mode 100644 index 0000000..ef00bfc --- /dev/null +++ b/src/satosa/plugins/microservices/siret_mapping.yaml @@ -0,0 +1,5 @@ +module: oidc2fer.attribute_generators.EntityIdToSiretMapper +name: EntityIdToSiretMapper +config: + attribute: siret + mapping_json: !ENV SIRET_MAP diff --git a/src/satosa/proxy_conf.yaml b/src/satosa/proxy_conf.yaml index c6bcca1..c8127bd 100644 --- a/src/satosa/proxy_conf.yaml +++ b/src/satosa/proxy_conf.yaml @@ -17,6 +17,7 @@ MICRO_SERVICES: - plugins/microservices/primary_identifier.yaml - plugins/microservices/static_attributes.yaml - plugins/microservices/attribute_processor.yaml + - plugins/microservices/siret_mapping.yaml LOGGING: # All the logging configuration is done in the Gunicorn config, this is just # here to avoid overwriting it with the default SATOSA config diff --git a/src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py b/src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py new file mode 100644 index 0000000..2065f86 --- /dev/null +++ b/src/satosa/tests/oidc2fer/attribute_generators/test_entity_id_to_siret_mapper.py @@ -0,0 +1,42 @@ +import json + +from satosa.context import Context +from satosa.internal import AuthenticationInformation, InternalData + +from oidc2fer.attribute_generators import EntityIdToSiretMapper + + +class TestEntityIdToSiretMapper: + def create_mapper(self): + mapper = EntityIdToSiretMapper( + config={ + "attribute": "siret", + "mapping_json": json.dumps( + { + "https://idp.example.fr": "12345678200010", + } + ), + }, + name="siret_mapper", + base_url="https://satosa.example.com", + ) + mapper.next = lambda ctx, data: data + return mapper + + def test_sets_siret_for_known_entityid(self): + mapper = self.create_mapper() + resp = InternalData( + auth_info=AuthenticationInformation(issuer="https://idp.example.fr") + ) + ctx = Context() + mapper.process(ctx, resp) + assert resp.attributes["siret"] == "12345678200010" + + def test_does_not_set_siret_for_unknown_entityid(self): + mapper = self.create_mapper() + resp = InternalData( + auth_info=AuthenticationInformation(issuer="https://unknown.example.fr") + ) + ctx = Context() + mapper.process(ctx, resp) + assert "siret" not in resp.attributes diff --git a/src/satosa/tests/test_e2e.py b/src/satosa/tests/test_e2e.py index cef255d..b208eff 100644 --- a/src/satosa/tests/test_e2e.py +++ b/src/satosa/tests/test_e2e.py @@ -49,6 +49,7 @@ def oidc_to_renater( "email": expected_email, "given_name": expected_given_name, "usual_name": expected_usual_name, + "siret": "12345678200010", }.items() <= userinfo.items() return id_token @@ -102,6 +103,7 @@ def pro_connect_to_renater( "email": expected_email, "given_name": expected_given_name, "usual_name": expected_usual_name, + "siret": "12345678200010", }.items() <= result.items() return result From 1557f7ba2244d7440aaaf1f073210d3d05dd2775 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Fri, 3 Oct 2025 13:10:40 +0200 Subject: [PATCH 19/22] =?UTF-8?q?=F0=9F=94=A7(siret)=20add=20initial=20SIR?= =?UTF-8?q?ET=20map=20to=20production=20environment?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This mapping was provided by RENATER on 2025-09-19. --- .../values.oidc2fer.yaml.gotmpl | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl index e006f66..6659212 100644 --- a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl @@ -24,6 +24,94 @@ satosa: OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } } + # As provided by RENATER on 2025-09-19 + SIRET_MAP: |- + { + "https://shibboleth.grenoble-inp.fr/idp/shibboleth": "19381912500017", + "https://identites.ensea.fr/idp/shibboleth": "19951376300011", + "https://idp.ent.dauphine.fr/idp/shibboleth": "19754692200018", + "https://idp.univ-lyon2.fr/idp/shibboleth": "19691775100014", + "https://shibboleth.insa-rouen.fr/idp/shibboleth": "19760165100023", + "https://idp1.univ-fcomte.fr/idp/shibboleth": "19251215000363", + "https://idp.univ-tours.fr/idp/shibboleth": "19370800500478", + "https://apps.univ-lr.fr/idp/shibboleth": "19170032700015", + "https://shib.mines-albi.fr/idp/shibboleth": "19811200500022", + "https://federation.upf.pf/idp/shibboleth": "19987001500013", + "https://federation.utbm.fr/idp/shibboleth": "19900356700013", + "urn:mace:cru.fr:federation:univ-paris1.fr": "19751717000019", + "https://idp.sciencespobordeaux.fr/idp/shibboleth": "19330192600039", + "https://vip.espci.fr/saml2/idp/metadata.php": "20000068500012", + "urn:mace:cru.fr:federation:univ-nantes.fr": "13002974700016", + "https://shibboleth.univ-corse.fr/idp/shibboleth": "19202664900264", + "https://srv-fii.insa-toulouse.fr/idp/shibboleth": "19310152400018", + "urn:mace:cru.fr:federation:univ-rouen.fr": "19761904200017", + "https://ident-shib.ensc-rennes.fr/idp/shibboleth": "19350077400016", + "urn:mace:cru.fr:federation:unilim.fr": "19870669900321", + "https://idp.inha.fr/idp/shibboleth": "19754688000018", + "https://federation.unimes.fr/idp/shibboleth": "13000375900029", + "urn:mace:cru.fr:federation:univ-rennes1.fr": "13003051300019", + "urn:mace:cru.fr:federation:univ-ubs.fr": "19561718800600", + "https://idp.univ-orleans.fr/idp/shibboleth": "19450855200016", + "https://shibboleth.univ-savoie.fr/idp/shibboleth": "19730858800015", + "https://idp.cirad.fr/idp/shibboleth": "33159627000016", + "https://sso.ird.fr/idp/shibboleth": "18000602500159", + "https://idp.ensma.fr/idp/shibboleth": "19860073600021", + "https://idp.renater.fr/idp/shibboleth": "18008947600055", + "https://idp.inp-toulouse.fr/idp/shibboleth": "19311381800127", + "https://idp.unistra.fr/idp/shibboleth": "13000545700010", + "https://idp1.agroparistech.fr/idp/shibboleth": "13000285000134", + "https://janus.cnrs.fr/idp": "18008901303720", + "https://federation.umontpellier.fr/idp/shibboleth": "13002979600013", + "https://idp.sciencespo-lyon.fr/idp/shibboleth": "19690173000024", + "https://shibboleth.univ-grenoble-alpes.fr/idp/shibboleth": "13002608100013", + "https://idp.bnu.fr/idp/shibboleth": "18004406700015", + "https://ruhnu.univ-tlse2.fr/idp/shibboleth": "19311383400017", + "https://idp2.amue.fr/idp/shibboleth": "18004312700083", + "https://idpv3.univ-amu.fr/idp/shibboleth": "13001533200013", + "https://idp-ng.univ-st-etienne.fr/idp/shibboleth": "93850168100010", + "https://identities.univ-jfc.fr/idp/prod": "19811201300018", + "https://idp3.univ-lorraine.fr/idp/shibboleth": "13001550600012", + "https://idp.univ-lemans.fr/idp/shibboleth": "19720916600010", + "https://idp.univ-lille.fr/idp/shibboleth": "13002975400012", + "https://idp.univ-tln.fr/idp/shibboleth": "19830766200017", + "https://idp.uca.fr/idp/shibboleth": "13002806100013", + "https://shibboleth3.utt.fr/idp/shibboleth": "19101060200032", + "https://idp3.ut-capitole.fr/idp/shibboleth": "19311382600013", + "https://idp.imt-atlantique.fr/idp/shibboleth": "18009202500121", + "https://shib.univ-lehavre.fr/idp/shibboleth": "19762762300097", + "https://idp2.univ-paris8.fr/idp/shibboleth": "19931827000014", + "https://shib2.unc.nc/idp/shibboleth": "13000322100012", + "https://upnidp2.parisnanterre.fr/idp/shibboleth": "19921204400010", + "https://idp.ensfea.fr/idp/shibboleth": "19310143300012", + "https://idp.univ-eiffel.fr/idp/shibboleth": "13002612300013", + "https://idp.insa-rennes.fr/idp/shibboleth": "19350097200016", + "https://idp.univ-tlse3.fr/idp/shibboleth": "93827139200012", + "https://idp.universite-paris-saclay.fr/idp": "13002602400054", + "https://shibboleth.ens2m.fr/idp/shibboleth": "19250082500026", + "https://sso-ciation-saclay.centralesupelec.fr/idp/shibboleth": "13002076100016", + "https://federation.ens.psl.eu/idp/shibboleth": "19753459700012", + "https://authentification.inrae.fr/saml/metadata/idp": "18007003901803", + "https://idp.ensam.eu/idp/shibboleth": "19753472000010", + "https://idp1.ens-paris-saclay.fr/idp/shibboleth": "19940607500036", + "https://idp2.emse.fr/idp/shibboleth": "18009202500105", + "https://idp-septa.onisep.fr/idp/shibboleth": "18004302800653", + "https://papangue.vetagro-sup.fr/idp/shibboleth": "13000858400018", + "https://multipass.imt-nord-europe.fr/idp/shibboleth": "18009202500139", + "https://idp4.unicaen.fr/idp/shibboleth": "19141408500016", + "https://sso.bordeaux-inp.fr/idp/shibboleth": "13000635600013", + "https://auth.uttop.fr/saml/metadata": "19650048200019", + "https://idp.univ-cotedazur.fr/idp/shibboleth": "13002566100013", + "https://idp2.brgm.fr/idp/shibboleth": "58205614900120", + "https://idp.crous-reims.fr/idp/shibboleth": "18510200100012", + "https://idp.univ-avignon.fr/idp/shibboleth": "19840685200204", + "https://idp-genci.renater.fr/idp/shibboleth": "49468697500041", + "https://auth.sso.vet-alfort.fr/saml/metadata": "19940608300014", + "https://idp.univ-perp.fr/idp/shibboleth": "19660437500010", + "https://idp.institut-agro.fr/idp": "13000279300011", + "https://prod-idp.inria.fr": "18008904700013", + "https://idp.ec-nantes.fr/idp/shibboleth": "19440100600011" + } + ingress: enabled: true host: renater.agentconnect.gouv.fr From 3401da37ffad0ca8875bbf0a411e942c62c31010 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Fri, 3 Oct 2025 13:19:29 +0200 Subject: [PATCH 20/22] v1.0.9 release --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 621fb4f..f5a4f6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## Unreleased +## [1.0.9] - 2025-10-03 - map SAML entity IDs to SIRET (#34) - include ACR claim in ID token only if requested (#32) From 4e84ec0f2b0eb7515c460e6f8c7bfc0cd1eea55c Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Fri, 3 Oct 2025 13:22:03 +0200 Subject: [PATCH 21/22] Deploy release v1.0.9 to production --- src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl index 6659212..85e4afa 100644 --- a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl @@ -1,7 +1,7 @@ image: repository: ghcr.io/proconnect-gouv/oidc2fer pullPolicy: Always - tag: "v1.0.8" + tag: "v1.0.9" satosa: replicas: 2 From 79aee346a2d69efc297670a84f9d1b996a657006 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Thu, 23 Oct 2025 10:21:57 +0200 Subject: [PATCH 22/22] =?UTF-8?q?=F0=9F=94=A7(siret)=20update=20SIRET=20ma?= =?UTF-8?q?p=20to=20replace=20closed=20entities?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These new SIRET numbers were found using https://annuaire-entreprises.data.gouv.fr/ --- .../values.oidc2fer.yaml.gotmpl | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl index 85e4afa..c556bc2 100644 --- a/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl +++ b/src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl @@ -32,10 +32,10 @@ satosa: "https://idp.ent.dauphine.fr/idp/shibboleth": "19754692200018", "https://idp.univ-lyon2.fr/idp/shibboleth": "19691775100014", "https://shibboleth.insa-rouen.fr/idp/shibboleth": "19760165100023", - "https://idp1.univ-fcomte.fr/idp/shibboleth": "19251215000363", + "https://idp1.univ-fcomte.fr/idp/shibboleth": "93810656400017", "https://idp.univ-tours.fr/idp/shibboleth": "19370800500478", "https://apps.univ-lr.fr/idp/shibboleth": "19170032700015", - "https://shib.mines-albi.fr/idp/shibboleth": "19811200500022", + "https://shib.mines-albi.fr/idp/shibboleth": "18009202500097", "https://federation.upf.pf/idp/shibboleth": "19987001500013", "https://federation.utbm.fr/idp/shibboleth": "19900356700013", "urn:mace:cru.fr:federation:univ-paris1.fr": "19751717000019", @@ -48,7 +48,7 @@ satosa: "https://ident-shib.ensc-rennes.fr/idp/shibboleth": "19350077400016", "urn:mace:cru.fr:federation:unilim.fr": "19870669900321", "https://idp.inha.fr/idp/shibboleth": "19754688000018", - "https://federation.unimes.fr/idp/shibboleth": "13000375900029", + "https://federation.unimes.fr/idp/shibboleth": "93249157400012", "urn:mace:cru.fr:federation:univ-rennes1.fr": "13003051300019", "urn:mace:cru.fr:federation:univ-ubs.fr": "19561718800600", "https://idp.univ-orleans.fr/idp/shibboleth": "19450855200016", @@ -66,7 +66,7 @@ satosa: "https://shibboleth.univ-grenoble-alpes.fr/idp/shibboleth": "13002608100013", "https://idp.bnu.fr/idp/shibboleth": "18004406700015", "https://ruhnu.univ-tlse2.fr/idp/shibboleth": "19311383400017", - "https://idp2.amue.fr/idp/shibboleth": "18004312700083", + "https://idp2.amue.fr/idp/shibboleth": "18004312700091", "https://idpv3.univ-amu.fr/idp/shibboleth": "13001533200013", "https://idp-ng.univ-st-etienne.fr/idp/shibboleth": "93850168100010", "https://identities.univ-jfc.fr/idp/prod": "19811201300018", @@ -76,7 +76,7 @@ satosa: "https://idp.univ-tln.fr/idp/shibboleth": "19830766200017", "https://idp.uca.fr/idp/shibboleth": "13002806100013", "https://shibboleth3.utt.fr/idp/shibboleth": "19101060200032", - "https://idp3.ut-capitole.fr/idp/shibboleth": "19311382600013", + "https://idp3.ut-capitole.fr/idp/shibboleth": "13003061200019", "https://idp.imt-atlantique.fr/idp/shibboleth": "18009202500121", "https://shib.univ-lehavre.fr/idp/shibboleth": "19762762300097", "https://idp2.univ-paris8.fr/idp/shibboleth": "19931827000014", @@ -102,12 +102,12 @@ satosa: "https://auth.uttop.fr/saml/metadata": "19650048200019", "https://idp.univ-cotedazur.fr/idp/shibboleth": "13002566100013", "https://idp2.brgm.fr/idp/shibboleth": "58205614900120", - "https://idp.crous-reims.fr/idp/shibboleth": "18510200100012", + "https://idp.crous-reims.fr/idp/shibboleth": "18510200100327", "https://idp.univ-avignon.fr/idp/shibboleth": "19840685200204", "https://idp-genci.renater.fr/idp/shibboleth": "49468697500041", "https://auth.sso.vet-alfort.fr/saml/metadata": "19940608300014", "https://idp.univ-perp.fr/idp/shibboleth": "19660437500010", - "https://idp.institut-agro.fr/idp": "13000279300011", + "https://idp.institut-agro.fr/idp": "13002622200013", "https://prod-idp.inria.fr": "18008904700013", "https://idp.ec-nantes.fr/idp/shibboleth": "19440100600011" }