Commit Graph

95 Commits

Author SHA1 Message Date
Jonathan Perret 425365d22a v1.0.7 release v1.0.7 2025-05-07 17:07:48 +02:00
Jonathan Perret 63806bde22 Merge pull request #30 from numerique-gouv/fix-cve
Remove unused APT dependencies that trigger a CVE warning
2025-05-07 13:46:13 +02:00
Jonathan Perret 96299e1386 ⬆️ (deps) Bump gunicorn to 23.0.0 2025-05-07 13:43:45 +02:00
Jonathan Perret bf015c9238 🔒️(docker) remove unused APT dependencies that trigger a CVE warning
Specifically CVE-2023-45853 was flagged in our Docker image, but
it is in libfreetype6 which we don't use, and is only pulled in
because of a recommended depdency of `gcc` — which we don't need
in any case.
2025-05-07 13:43:45 +02:00
Jacques ROUSSEL 589d447f19 🐛(ci) fix helmfile linter
Latest helmfile version breaks lots of thing.
2025-03-28 14:46:38 +01:00
Jacques ROUSSEL ddc09cca50 🐛(ci) use github action for argocd webhook notification
In order to refactor this notification between alls projetcs, we
chooseto use a custom github action
2025-03-28 14:46:38 +01:00
Jonathan Perret ae2d4a573b Deploy release v1.0.6 to production. 2025-03-11 16:34:02 +01:00
Jonathan Perret 5be05fe43e v1.0.6 release v1.0.6 2025-03-11 16:31:50 +01:00
Jonathan Perret f90df5c2c6 Merge pull request #27 from numerique-gouv/allow-more-affiliations
Allow more affiliations
2025-03-11 16:02:10 +01:00
Jonathan Perret 6bbcd95069 🔧(config) allow more affiliations
We agreed with RENATER to allow people having one of the following
affiliations: faculty, staff, employee, researcher, teacher.
2025-03-11 15:42:27 +01:00
Jonathan Perret b839c32b50 Merge pull request #26 from numerique-gouv/satosa-8.5.1
⬆️ (deps) upgrade to SATOSA 8.5.1
2025-03-11 15:38:15 +01:00
Jonathan Perret 9b062aa27d ⬆️ (deps) upgrade to SATOSA 8.5.1 2025-03-11 15:23:36 +01:00
Jonathan Perret 4a2ece217b Deploy release v1.0.5 to production. 2025-03-06 19:48:00 +01:00
Jonathan Perret a7577ff85e v1.0.5 release v1.0.5 2025-03-06 19:38:28 +01:00
Jonathan Perret 4e81e1e750 Merge pull request #25 from numerique-gouv/custom-log-levels
🚀(logging) allow customizing log levels per logger
2025-03-06 19:36:05 +01:00
Jonathan Perret c27ebfe6ae 🚀(logging) allow customizing log levels per logger
This lets one enable increased logging at a finer level. For example,
one could enable debug logging for a specific logger, while keeping the
rest of the application at info level.
2025-03-06 19:27:01 +01:00
Jonathan Perret d84f2b32d5 Merge pull request #24 from numerique-gouv/filter-paths
🔒️(nginx) add basic path allowlist to block random attacks
2025-03-05 18:32:09 +01:00
Jonathan Perret 9cb67bfb87 🔒️(nginx) add basic path allowlist
This should cut down on opportunistic attack attempts, which are more
a nuisance than anything right now but it can't hurt to stop them
earlier.
2025-03-05 18:26:45 +01:00
Jonathan Perret ba1774bdbf Merge pull request #23 from numerique-gouv/fix-e2e-test
(e2e) fix e2e test with PC staging
2025-03-05 18:18:45 +01:00
Jonathan Perret cb8ff5d878 (e2e) fix e2e test with PC staging
Adapt to updated mock service.
2025-03-05 17:52:03 +01:00
rouja a6e01c071e Merge pull request #21 from numerique-gouv/add-pdbs
🔧(helm) add pdbs to deployements
2025-02-10 17:24:10 +01:00
Jacques ROUSSEL 5a0f2da202 🔧(helm) add pdbs to deployements
In order to avoid a service interruption during a Kubernetes
(k8s)upgrade, we add a Pod Disruption Budget (PDB) to deployments.
2025-02-10 17:19:08 +01:00
rouja 3b2d50d657 Merge pull request #20 from numerique-gouv/fix-issuer
fix letsencrypt issuer for new preprod
2025-02-07 11:53:59 +01:00
Jacques ROUSSEL 52d7de305c 🔧(helm) change letsencrypt issuer
The name of the cluster issuer on the new preprod is 'letsencrypt,' so I
adjusted it.
2025-02-07 10:49:36 +01:00
Jonathan Perret 64a0d4dd3d Merge pull request #19 from numerique-gouv/improve-helm 2024-10-02 10:46:04 +02:00
Jacques ROUSSEL ffbd161e29 (ci) add helmfile linter
Add a github job to run helmfile linter on PR
2024-09-24 17:11:13 +02:00
Jonathan Perret ba1c14291d Merge pull request #17 from numerique-gouv/add-architecture-doc
📝(architecture) add first architecture doc
2024-09-21 12:21:01 +02:00
Jonathan Perret 4c4ccc88ba 📝(architecture) add first architecture doc
This gives an overview and the detail of the workings of OIDC2FER.
2024-09-18 19:31:33 +02:00
Jonathan Perret c1b33453c3 Deploy release v1.0.4 to production. 2024-09-11 12:43:17 +02:00
Jonathan Perret 6cede0a7f2 v1.0.4 release v1.0.4 2024-09-11 11:00:09 +02:00
Jonathan Perret 3b518b9b3a Merge pull request #15 from numerique-gouv/serve-static-assets
(static) add static frontend to serve assets
2024-09-11 10:49:04 +02:00
Jonathan Perret 039d9a12cc (static) add static file serving
We needed a way to serve a handful of static assets, starting with
the ProConnect logo to be embedded in IdP pages.
2024-09-11 10:44:11 +02:00
Jonathan Perret 6424679b85 Set discovery URL to dedicated WAYF 2024-09-05 19:11:57 +02:00
Jonathan Perret 30c91e2345 Add missing slash to discovery URL
This saves one redirect when accessing the discovery service.
2024-09-04 20:05:06 +02:00
Jonathan Perret ad726a92ce Add missing info about "production" tag to deployment instructions 2024-09-02 17:42:42 +02:00
Jonathan Perret 7cc8fc18a2 Deploy release v1.0.3 to production. 2024-09-02 17:18:00 +02:00
Jonathan Perret 17289b1040 v1.0.3 release v1.0.3 2024-09-02 17:09:56 +02:00
Jonathan Perret 0580ec6d7e Merge pull request #14 from numerique-gouv/fix-saml-signature
Upgrade SAML signature algorithm for interoperability with RENATER Access Check
2024-09-02 16:26:07 +02:00
Jonathan Perret 4b5bd5757c 🔒️(saml) set SAML signing algorithm to use SHA256
It turns out the RENATER AccessCheck IdP rejects AuthnRequests signed
with the default SHA1-based SignatureMethod.
2024-08-29 20:34:36 +02:00
Jonathan Perret 61680de401 Deploy 1.0.2 to outscale-production 2024-07-22 20:55:08 +02:00
Jonathan Perret 0fc4450766 v1.0.2 release v1.0.2 2024-07-22 20:52:50 +02:00
Jonathan Perret db99364ae6 Merge pull request #13 from numerique-gouv/check-eppn-scope
🔒️(saml) check the scope of the eduPersonPrincipalName attribute
2024-07-22 20:49:25 +02:00
Jonathan Perret 25c401c653 🔒️(saml) check the scope of the eduPersonPrincipalName attribute
The metadata obtained from the federation server contains a list of
allowed scopes for each of the registered identity providers.

By checking the value of the eduPersonPrincipalName attribute
returned by an IdP against the allowed scopes for that IdP,
we protect the downstream services against identity theft by
a compromised IdP.
2024-07-22 20:35:06 +02:00
Jonathan Perret 311d490566 Merge pull request #10 from numerique-gouv/check-affiliation
Only allow employees to authenticate
2024-07-22 19:45:25 +02:00
Jonathan Perret ba69d2d4bd 📝(changelog) update CHANGELOG
Document new affiliation check.
2024-07-22 19:00:45 +02:00
Jonathan Perret 82fc42d093 🔒️(saml) only allow employees to authenticate
We check the eduPersonAffiliation attribute for a "employee" value to
reject students.
2024-07-22 17:32:20 +02:00
Jonathan Perret 10fc48b9ad (e2e) make renater test idp interaction deterministic
By default the consent form is only shown if the requested claims have
changed since the last login for that user, and this appears to be
stored server-side, which caused the test to break when I added
eduPersonAffiliation to the requested claims.

We now always request the consent form on login so that the interaction
is deterministic.
2024-07-22 16:02:10 +02:00
Jonathan Perret b8fe38853f 🚀(staging) complete switch to test federation
Switches the staging instance to the test federation.
2024-06-19 14:37:08 +02:00
Jonathan Perret e03dddde67 🚀(staging) use test entity ID
Switches the staging instance to the test federation.
2024-06-19 14:33:34 +02:00
Jonathan Perret 15064a0b45 🚀(config) get SAML entity ID from environment
This lets us decouple the entity ID from the deployment URL.
2024-06-19 14:29:50 +02:00