Jonathan Perret
25c401c653
🔒 ️(saml) check the scope of the eduPersonPrincipalName attribute
...
The metadata obtained from the federation server contains a list of
allowed scopes for each of the registered identity providers.
By checking the value of the eduPersonPrincipalName attribute
returned by an IdP against the allowed scopes for that IdP,
we protect the downstream services against identity theft by
a compromised IdP.
2024-07-22 20:35:06 +02:00
Jonathan Perret
311d490566
Merge pull request #10 from numerique-gouv/check-affiliation
...
Only allow employees to authenticate
2024-07-22 19:45:25 +02:00
Jonathan Perret
ba69d2d4bd
📝 (changelog) update CHANGELOG
...
Document new affiliation check.
2024-07-22 19:00:45 +02:00
Jonathan Perret
82fc42d093
🔒 ️(saml) only allow employees to authenticate
...
We check the eduPersonAffiliation attribute for a "employee" value to
reject students.
2024-07-22 17:32:20 +02:00
Jonathan Perret
10fc48b9ad
✅ (e2e) make renater test idp interaction deterministic
...
By default the consent form is only shown if the requested claims have
changed since the last login for that user, and this appears to be
stored server-side, which caused the test to break when I added
eduPersonAffiliation to the requested claims.
We now always request the consent form on login so that the interaction
is deterministic.
2024-07-22 16:02:10 +02:00
Jonathan Perret
b8fe38853f
🚀 (staging) complete switch to test federation
...
Switches the staging instance to the test federation.
2024-06-19 14:37:08 +02:00
Jonathan Perret
e03dddde67
🚀 (staging) use test entity ID
...
Switches the staging instance to the test federation.
2024-06-19 14:33:34 +02:00
Jonathan Perret
15064a0b45
🚀 (config) get SAML entity ID from environment
...
This lets us decouple the entity ID from the deployment URL.
2024-06-19 14:29:50 +02:00
rouja
a2d275366c
💚 (ci) remove secret from repository ( #12 )
...
- Remove *.enc.*
- Add symlinks
- Adapt CI
2024-06-07 17:20:03 +02:00
Jonathan Perret
5c18904e39
🚀 (staging) use qualification federation
...
The RENATER Qualification federation is more similar to the production
federation than the test federation.
2024-06-04 17:05:50 +02:00
Jonathan Perret
4aae1dbec2
v1.0.1 release
v1.0.1
2024-06-04 16:36:22 +02:00
Jonathan Perret
4d19d6ec1b
🚀 (logging) enable JSON logs and LOG_LEVEL env var ( #11 )
...
All logs (Gunicorn + SATOSA) are now logged as JSON and the level can be
controlled with the LOG_LEVEL environment variable.
2024-06-04 16:28:15 +02:00
Jonathan Perret
7ecc4c404a
🚀 (prod) fix letsencrypt issuer for production
...
Certificate generation fails if we use the wrong issuer.
2024-05-30 16:09:17 +02:00
Jonathan Perret
a940151661
🚀 (prod) set production URL to renater.agentconnect.gouv.fr
...
This is the domain we agreed upon with the AgentConnect team.
2024-05-30 12:01:02 +02:00
Jonathan Perret
aa9af2a401
🚀 (prod) set production URL to renater.agentconnect.gouv.fr
...
This is the domain we agreed upon with the AgentConnect team.
2024-05-29 17:13:20 +02:00
Jonathan Perret
132e7a442d
Merge pull request #9 from numerique-gouv/production-setup
...
🚀 (prod) add production config to chart
2024-05-16 18:21:38 +02:00
Jonathan Perret
08d5a5ef4d
🚀 (prod) add production config to chart
...
This will be picked up by ArgoCD to deploy on the Outscale production
cluster.
2024-05-16 17:43:59 +02:00
Jonathan Perret
80b5de3afe
Revert " 🚀 (staging) use PR docker image in staging"
...
This reverts commit 788c55cf4a .
v1.0.0
2024-05-16 12:00:27 +02:00
Jonathan Perret
65f1c750b5
Merge pull request #8 from numerique-gouv/agent-connect
...
Fix AgentConnect integration
2024-05-16 11:56:29 +02:00
Jonathan Perret
96e244fd6c
🔒 ️(saml) use eduPersonPrincipalName rather than NameID for sub
...
The NameID returned by the SAML server is actually transient so we can't
use it as a sub. We'll use eduPersonPrincipalName both in sub and uid.
2024-05-15 22:30:56 +02:00
Jonathan Perret
7239b366e8
🚀 (helm) move secrets to k8s secrets
...
This avoids secrets being visible in manifests.
2024-05-02 19:42:55 +02:00
Jonathan Perret
8fdf8e5f89
🚀 (helm) add resource requests/limit and liveness probe
...
All defined in the default values file, can be overriden per environment
if needed.
2024-05-02 19:24:58 +02:00
Jonathan Perret
aa68ce574e
🧑💻 (tilt) watch helm chart for changes in dev
...
This makes Tilt rebuild when the chart is edited.
2024-05-02 19:24:58 +02:00
Jonathan Perret
4478152156
🚀 (env) make FER URLs configurable per environment
...
Of course in production we will want the production federation.
2024-04-29 23:09:02 +02:00
Jonathan Perret
78a1b549fc
🚀 (redis) add Redis instance to dev and staging
...
Necessary to support more that one SATOSA worker.
2024-04-29 22:28:18 +02:00
Jonathan Perret
b50126675a
🔒 ️(oidc) return JWT from userinfo endpoint
...
AgentConnect apparently requires the userinfo endpoint to return a
signed JWT.
2024-04-29 16:35:33 +02:00
Jonathan Perret
94cdbc9497
👔 (oidc) generate required claims in user_info
...
Because SATOSA defaults to list-valued attributes, I had to add
a custom attribute processor to return strings in the userinfo
response.
2024-04-25 15:00:36 +02:00
Jonathan Perret
b8037e7b69
🚀 (staging) don't default to 3 Gunicorn workers
...
Currently we let SATOSA store some state in-memory. This cannot
work if we have multiple workers.
2024-04-25 11:09:18 +02:00
Jonathan Perret
788c55cf4a
🚀 (staging) use PR docker image in staging
...
Not sure how to do this properly without having to do a commit.
2024-04-24 18:16:48 +02:00
Jonathan Perret
9b288b3fb9
💚 (ci) push images to docker hub for PR branches
...
This is useful for testing PRs before merging.
2024-04-24 18:14:22 +02:00
Jonathan Perret
edf7edce37
🚀 (staging) add acr claim to id token
...
AgentConnect requires an acr claim, see
https://github.com/france-connect/Documentation-AgentConnect/blob/
main/doc_fi/technique_fca_fi/donnees_utilisateurs_fi.md
2024-04-24 17:32:52 +02:00
Jonathan Perret
fcecd1d71c
🚀 (staging) set token auth method for Agent Connect
...
Experimentation shows that AC authenticates with the client_secret_post
method.
2024-04-24 10:58:24 +02:00
Jonathan Perret
cd4fa9af41
Merge pull request #7 from numerique-gouv/helm
...
🎨 (tooling) basic tilt/helm setup
2024-04-22 17:25:49 +02:00
Jonathan Perret
65adce2d15
🚀 (staging) set client id/secret for Agent Connect staging
...
The OIDC client ID and secret were provided to the Agent Connect staging
registration.
2024-04-22 17:15:44 +02:00
Jonathan Perret
ae4121d184
🚀 (nginx) allow large response headers
...
SAML redirect responses can have very large (4k) Location headers.
2024-04-22 17:15:44 +02:00
Jonathan Perret
186f409546
💚 (ci) add ArgoCD key
...
Lets ArgoCD access the secrets for deployment.
2024-04-22 17:15:44 +02:00
Jonathan Perret
ef76598158
🎨 (tooling) basic tilt/helm setup
...
Based on https://github.com/numerique-gouv/people/pull/178
2024-04-22 17:15:44 +02:00
Jonathan Perret
7a3f993b44
💚 (ci) also build and push linux/arm64 image ( #6 )
...
As a courtesy to those of us who run ARM.
2024-04-18 13:15:35 +02:00
dependabot[bot]
04a3b753bd
Bump gunicorn from 21.2.0 to 22.0.0 in /src/satosa ( #4 )
...
Bumps [gunicorn](https://github.com/benoitc/gunicorn ) from 21.2.0 to 22.0.0.
- [Release notes](https://github.com/benoitc/gunicorn/releases )
- [Commits](https://github.com/benoitc/gunicorn/compare/21.2.0...22.0.0 )
---
updated-dependencies:
- dependency-name: gunicorn
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-18 12:57:44 +02:00
rouja
b203c04c1a
🎨 (tooling) Add ci secrets ( #5 )
...
Add dockerhub secret to be able to push image to registry.
Add argocd secret to be abble to notify argocd when a change occurs.
2024-04-18 12:56:13 +02:00
Jonathan Perret
403828da82
Merge pull request #2 from numerique-gouv/satosa-setup
...
Setup SATOSA
2024-04-17 17:46:54 +02:00
Jonathan Perret
a6d3483ad9
🎨 (tooling) generate default SATOSA secrets for developemnt
...
`make bootstrap` will now generate well-formed secrets in
env.d/development/satosa. This also serves to document one way
of generating such secrets.
2024-04-17 17:00:06 +02:00
Jonathan Perret
3b2e63e2b5
✅ (test) setup end-to-end manual test
...
This sets up a test OIDC client, that will start an authentication flow
to the RENATER test federation through our SATOSA instance.
2024-04-17 16:10:12 +02:00
Jonathan Perret
3e71b2166c
🏗️ (common) replace Django app with SATOSA
...
We mostly import SATOSA and launch its WSGI app.
2024-04-17 14:46:15 +02:00
Jonathan Perret
ce004c5e80
🏗️ (common) remove Postgres
...
We don't need PostgreSQL.
2024-04-17 11:23:29 +02:00
Jonathan Perret
4fc43c023a
🏗️ (common) remove Keycloak
...
We won't be using Keycloak.
2024-04-15 18:31:20 +02:00
Jonathan Perret
acc3df5b03
🏗️ (common) remove localization support (crowdin)
...
Not required for SATOSA, at least for now.
2024-04-15 18:25:47 +02:00
Jonathan Perret
5492cfaf8b
🚨 (common) remove version from docker-compose.yml to fix warning
...
Docker compose v2 does not use the `version` entry.
2024-04-15 18:25:47 +02:00
Jonathan Perret
996822b652
💚 (ci) install required xmlsec1 in CI workflow
...
The `xmlsec` Python requirement fails without these packages.
2024-04-15 18:25:47 +02:00
Jonathan Perret
25e8758d87
💚 (ci) fix Python version in workflow
...
The backend's pyproject.toml requires Python>=3.11.
2024-04-15 18:25:47 +02:00