153 Commits

Author SHA1 Message Date
Jonathan Perret 25c401c653 🔒️(saml) check the scope of the eduPersonPrincipalName attribute
The metadata obtained from the federation server contains a list of
allowed scopes for each of the registered identity providers.

By checking the value of the eduPersonPrincipalName attribute
returned by an IdP against the allowed scopes for that IdP,
we protect the downstream services against identity theft by
a compromised IdP.
2024-07-22 20:35:06 +02:00
Jonathan Perret 311d490566 Merge pull request #10 from numerique-gouv/check-affiliation
Only allow employees to authenticate
2024-07-22 19:45:25 +02:00
Jonathan Perret ba69d2d4bd 📝(changelog) update CHANGELOG
Document new affiliation check.
2024-07-22 19:00:45 +02:00
Jonathan Perret 82fc42d093 🔒️(saml) only allow employees to authenticate
We check the eduPersonAffiliation attribute for a "employee" value to
reject students.
2024-07-22 17:32:20 +02:00
Jonathan Perret 10fc48b9ad (e2e) make renater test idp interaction deterministic
By default the consent form is only shown if the requested claims have
changed since the last login for that user, and this appears to be
stored server-side, which caused the test to break when I added
eduPersonAffiliation to the requested claims.

We now always request the consent form on login so that the interaction
is deterministic.
2024-07-22 16:02:10 +02:00
Jonathan Perret b8fe38853f 🚀(staging) complete switch to test federation
Switches the staging instance to the test federation.
2024-06-19 14:37:08 +02:00
Jonathan Perret e03dddde67 🚀(staging) use test entity ID
Switches the staging instance to the test federation.
2024-06-19 14:33:34 +02:00
Jonathan Perret 15064a0b45 🚀(config) get SAML entity ID from environment
This lets us decouple the entity ID from the deployment URL.
2024-06-19 14:29:50 +02:00
rouja a2d275366c 💚(ci) remove secret from repository (#12)
- Remove *.enc.*
- Add symlinks
- Adapt CI
2024-06-07 17:20:03 +02:00
Jonathan Perret 5c18904e39 🚀(staging) use qualification federation
The RENATER Qualification federation is more similar to the production
federation than the test federation.
2024-06-04 17:05:50 +02:00
Jonathan Perret 4aae1dbec2 v1.0.1 release v1.0.1 2024-06-04 16:36:22 +02:00
Jonathan Perret 4d19d6ec1b 🚀(logging) enable JSON logs and LOG_LEVEL env var (#11)
All logs (Gunicorn + SATOSA) are now logged as JSON and the level can be
controlled with the LOG_LEVEL environment variable.
2024-06-04 16:28:15 +02:00
Jonathan Perret 7ecc4c404a 🚀(prod) fix letsencrypt issuer for production
Certificate generation fails if we use the wrong issuer.
2024-05-30 16:09:17 +02:00
Jonathan Perret a940151661 🚀(prod) set production URL to renater.agentconnect.gouv.fr
This is the domain we agreed upon with the AgentConnect team.
2024-05-30 12:01:02 +02:00
Jonathan Perret aa9af2a401 🚀(prod) set production URL to renater.agentconnect.gouv.fr
This is the domain we agreed upon with the AgentConnect team.
2024-05-29 17:13:20 +02:00
Jonathan Perret 132e7a442d Merge pull request #9 from numerique-gouv/production-setup
🚀(prod) add production config to chart
2024-05-16 18:21:38 +02:00
Jonathan Perret 08d5a5ef4d 🚀(prod) add production config to chart
This will be picked up by ArgoCD to deploy on the Outscale production
cluster.
2024-05-16 17:43:59 +02:00
Jonathan Perret 80b5de3afe Revert "🚀(staging) use PR docker image in staging"
This reverts commit 788c55cf4a.
v1.0.0
2024-05-16 12:00:27 +02:00
Jonathan Perret 65f1c750b5 Merge pull request #8 from numerique-gouv/agent-connect
Fix AgentConnect integration
2024-05-16 11:56:29 +02:00
Jonathan Perret 96e244fd6c 🔒️(saml) use eduPersonPrincipalName rather than NameID for sub
The NameID returned by the SAML server is actually transient so we can't
use it as a sub. We'll use eduPersonPrincipalName both in sub and uid.
2024-05-15 22:30:56 +02:00
Jonathan Perret 7239b366e8 🚀(helm) move secrets to k8s secrets
This avoids secrets being visible in manifests.
2024-05-02 19:42:55 +02:00
Jonathan Perret 8fdf8e5f89 🚀(helm) add resource requests/limit and liveness probe
All defined in the default values file, can be overriden per environment
if needed.
2024-05-02 19:24:58 +02:00
Jonathan Perret aa68ce574e 🧑‍💻(tilt) watch helm chart for changes in dev
This makes Tilt rebuild when the chart is edited.
2024-05-02 19:24:58 +02:00
Jonathan Perret 4478152156 🚀(env) make FER URLs configurable per environment
Of course in production we will want the production federation.
2024-04-29 23:09:02 +02:00
Jonathan Perret 78a1b549fc 🚀(redis) add Redis instance to dev and staging
Necessary to support more that one SATOSA worker.
2024-04-29 22:28:18 +02:00
Jonathan Perret b50126675a 🔒️(oidc) return JWT from userinfo endpoint
AgentConnect apparently requires the userinfo endpoint to return a
signed JWT.
2024-04-29 16:35:33 +02:00
Jonathan Perret 94cdbc9497 👔(oidc) generate required claims in user_info
Because SATOSA defaults to list-valued attributes, I had to add
a custom attribute processor to return strings in the userinfo
response.
2024-04-25 15:00:36 +02:00
Jonathan Perret b8037e7b69 🚀(staging) don't default to 3 Gunicorn workers
Currently we let SATOSA store some state in-memory. This cannot
work if we have multiple workers.
2024-04-25 11:09:18 +02:00
Jonathan Perret 788c55cf4a 🚀(staging) use PR docker image in staging
Not sure how to do this properly without having to do a commit.
2024-04-24 18:16:48 +02:00
Jonathan Perret 9b288b3fb9 💚(ci) push images to docker hub for PR branches
This is useful for testing PRs before merging.
2024-04-24 18:14:22 +02:00
Jonathan Perret edf7edce37 🚀(staging) add acr claim to id token
AgentConnect requires an acr claim, see
https://github.com/france-connect/Documentation-AgentConnect/blob/
main/doc_fi/technique_fca_fi/donnees_utilisateurs_fi.md
2024-04-24 17:32:52 +02:00
Jonathan Perret fcecd1d71c 🚀(staging) set token auth method for Agent Connect
Experimentation shows that AC authenticates with the client_secret_post
method.
2024-04-24 10:58:24 +02:00
Jonathan Perret cd4fa9af41 Merge pull request #7 from numerique-gouv/helm
🎨(tooling) basic tilt/helm setup
2024-04-22 17:25:49 +02:00
Jonathan Perret 65adce2d15 🚀(staging) set client id/secret for Agent Connect staging
The OIDC client ID and secret were provided to the Agent Connect staging
registration.
2024-04-22 17:15:44 +02:00
Jonathan Perret ae4121d184 🚀(nginx) allow large response headers
SAML redirect responses can have very large (4k) Location headers.
2024-04-22 17:15:44 +02:00
Jonathan Perret 186f409546 💚(ci) add ArgoCD key
Lets ArgoCD access the secrets for deployment.
2024-04-22 17:15:44 +02:00
Jonathan Perret ef76598158 🎨(tooling) basic tilt/helm setup
Based on https://github.com/numerique-gouv/people/pull/178
2024-04-22 17:15:44 +02:00
Jonathan Perret 7a3f993b44 💚(ci) also build and push linux/arm64 image (#6)
As a courtesy to those of us who run ARM.
2024-04-18 13:15:35 +02:00
dependabot[bot] 04a3b753bd Bump gunicorn from 21.2.0 to 22.0.0 in /src/satosa (#4)
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 21.2.0 to 22.0.0.
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](https://github.com/benoitc/gunicorn/compare/21.2.0...22.0.0)

---
updated-dependencies:
- dependency-name: gunicorn
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-18 12:57:44 +02:00
rouja b203c04c1a 🎨(tooling) Add ci secrets (#5)
Add dockerhub secret to be able to push image to registry.
Add argocd secret to be abble to notify argocd when a change occurs.
2024-04-18 12:56:13 +02:00
Jonathan Perret 403828da82 Merge pull request #2 from numerique-gouv/satosa-setup
Setup SATOSA
2024-04-17 17:46:54 +02:00
Jonathan Perret a6d3483ad9 🎨(tooling) generate default SATOSA secrets for developemnt
`make bootstrap` will now generate well-formed secrets in
env.d/development/satosa. This also serves to document one way
of generating such secrets.
2024-04-17 17:00:06 +02:00
Jonathan Perret 3b2e63e2b5 (test) setup end-to-end manual test
This sets up a test OIDC client, that will start an authentication flow
to the RENATER test federation through our SATOSA instance.
2024-04-17 16:10:12 +02:00
Jonathan Perret 3e71b2166c 🏗️(common) replace Django app with SATOSA
We mostly import SATOSA and launch its WSGI app.
2024-04-17 14:46:15 +02:00
Jonathan Perret ce004c5e80 🏗️(common) remove Postgres
We don't need PostgreSQL.
2024-04-17 11:23:29 +02:00
Jonathan Perret 4fc43c023a 🏗️(common) remove Keycloak
We won't be using Keycloak.
2024-04-15 18:31:20 +02:00
Jonathan Perret acc3df5b03 🏗️(common) remove localization support (crowdin)
Not required for SATOSA, at least for now.
2024-04-15 18:25:47 +02:00
Jonathan Perret 5492cfaf8b 🚨(common) remove version from docker-compose.yml to fix warning
Docker compose v2 does not use the `version` entry.
2024-04-15 18:25:47 +02:00
Jonathan Perret 996822b652 💚(ci) install required xmlsec1 in CI workflow
The `xmlsec` Python requirement fails without these packages.
2024-04-15 18:25:47 +02:00
Jonathan Perret 25e8758d87 💚(ci) fix Python version in workflow
The backend's pyproject.toml requires Python>=3.11.
2024-04-15 18:25:47 +02:00