Compare commits

..

1 Commits

Author SHA1 Message Date
Jonathan Perret 8f9a9ed1f0 temporary enable debug logs in production 2025-03-05 17:32:56 +01:00
48 changed files with 378 additions and 2639 deletions
+2 -2
View File
@@ -9,9 +9,9 @@ We primarily use GitHub as an issue tracker. If however you're encountering an i
---
Please make sure you have read our [main Readme](https://github.com/proconnect-gouv/oidc2fer).
Please make sure you have read our [main Readme](https://github.com/numerique-gouv/oidc2fer).
Also make sure it was not already answered in [an open or close issue](https://github.com/proconnect-gouv/oidc2fer/issues).
Also make sure it was not already answered in [an open or close issue](https://github.com/numerique-gouv/oidc2fer/issues).
If your question was not covered, and you feel like it should be, fire away! We'd love to improve our docs! 👌
-67
View File
@@ -1,67 +0,0 @@
name: 🐳 Build docker images
on:
push:
branches:
- 'main'
tags:
- 'v*'
pull_request:
branches:
- 'main'
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Docker meta
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=sha,prefix=sha-
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
- name: Login to Github Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Build and push
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
target: production
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
notify-argocd:
runs-on: ubuntu-latest
if: |
github.event_name != 'pull_request'
needs:
- build-and-push
steps:
- uses: numerique-gouv/action-argocd-webhook-notification@cac2ee67896eb13e84e804f60c4271370424eaa8 # main
id: notify
with:
deployment_repo_path: "${{ github.repository }}"
argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}"
argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}"
+93
View File
@@ -0,0 +1,93 @@
name: Docker Hub Workflow
on:
workflow_dispatch:
push:
branches:
- 'main'
tags:
- 'v*'
pull_request:
branches:
- 'main'
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
-
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "oidc2fer,secrets"
-
name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/oidc2fer
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
-
name: Build and push
uses: docker/build-push-action@v5
with:
context: .
target: production
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
notify-argocd:
runs-on: ubuntu-latest
if: |
github.event_name != 'pull_request'
needs:
- build-and-push
steps:
-
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "oidc2fer,secrets"
-
name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Call argocd github webhook
run: |
data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL
+22
View File
@@ -0,0 +1,22 @@
name: Helmfile lint
run-name: Helmfile lint
on:
pull_request:
branches:
- 'main'
jobs:
helmfile-lint:
runs-on: ubuntu-latest
container:
image: ghcr.io/helmfile/helmfile:latest
steps:
-
uses: numerique-gouv/action-helmfile-lint@main
with:
app-id: ${{ secrets.APP_ID }}
age-key: ${{ secrets.SOPS_PRIVATE }}
private-key: ${{ secrets.PRIVATE_KEY }}
helmfile-src: "src/helm"
repositories: "oidc2fer,secrets"
@@ -1,4 +1,4 @@
name: 💚 CI Tests
name: OIDC2FER Workflow
on:
push:
@@ -16,14 +16,14 @@ jobs:
if: github.event_name == 'pull_request' # Makes sense only for pull requests
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: show
run: git log
- name: Enforce absence of print statements in code
run: |
! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude).github/**' | grep "print("
! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude)**/oidc2fer.yml' | grep "print("
- name: Check absence of fixup commits
run: |
! git log | grep 'fixup!'
@@ -39,17 +39,17 @@ jobs:
github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check that the CHANGELOG has been modified in the current branch
run: git log --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG
run: git whatchanged --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG
lint-changelog:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@v4
- name: Check CHANGELOG max line length
run: |
max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L)
@@ -65,11 +65,11 @@ jobs:
working-directory: src/satosa
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@v3
with:
python-version: '3.14'
python-version: '3.11'
- name: Install development dependencies
run: |
# Python's xmlsec requirement
@@ -89,11 +89,11 @@ jobs:
working-directory: src/satosa
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
uses: actions/setup-python@v3
with:
python-version: '3.14'
python-version: '3.11'
- name: Install development dependencies
run: |
# Python's xmlsec requirement
@@ -101,37 +101,3 @@ jobs:
pip install --user .[dev]
- name: Run tests
run: ~/.local/bin/pytest
helmfile-lint:
runs-on: ubuntu-latest
# skip this job on forks since they won't have access to the required secrets
if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
container:
image: ghcr.io/helmfile/helmfile:v1.2.0
steps:
-
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: numerique-gouv
repositories: secrets
-
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Helmfile lint
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_PRIVATE }}
run: |
HELMFILE=src/helm/helmfile.yaml.gotmpl
environments=$(< $HELMFILE awk -F'[ :]+' '/^ [^ ]/ {print $2} /^---/ { exit }')
for env in $environments; do
echo "################### $env lint ###################"
helmfile -e $env -f "$HELMFILE" lint || exit 1
echo -e "\n"
done
+1 -1
View File
@@ -1,3 +1,3 @@
[submodule "secrets"]
path = secrets
url = ../../numerique-gouv/secrets
url = ../secrets
-30
View File
@@ -6,36 +6,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
and this project adheres to
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.0.12] - 2026-03-02
- upgrade dependencies: Python 3.14.3, gunicorn 25.1.0…
## [1.0.11] - 2025-11-24
- remove setuptools, wheel and pip from production Docker image
## [1.0.10] - 2025-11-21
- rename helmfile.yaml for compatibility with helmfile 1.x
## [1.0.9] - 2025-10-03
- map SAML entity IDs to SIRET (#34)
- include ACR claim in ID token only if requested (#32)
## [1.0.8] - 2025-09-10
- fix secrets submodule path following move to `proconnect-gouv` organization
- update other references to `numerique-gouv` organization
- publish Docker images at ghcr.io/proconnect-gouv/oidc2fer
## [1.0.7] - 2025-05-07
- remove unused APT dependencies
- upgrade to gunicorn 23.0.0
## [1.0.6] - 2025-03-11
- upgrade to SATOSA 8.5.1
- allow faculty, staff, employee, researcher, teacher affiliations
## [1.0.5] - 2025-03-06
- add allowlist for URL paths to nginx ingress
- allow customizing log levels per logger
## [1.0.4] - 2024-09-11
- serve static files
+13 -16
View File
@@ -1,23 +1,25 @@
# ---- base image to inherit from ----
FROM python:3.14.3-slim-trixie AS common
FROM python:3.11-slim-bookworm as common
# Install xmlsec1 dependencies required for xmlsec (for SAML)
# Needs to be kept before the `pip install`
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
RUN apt-get update && \
apt-get -y upgrade && \
apt-get install -qy --no-install-recommends xmlsec1 && \
apt-get install -y \
pkg-config \
gcc \
xmlsec1 \
libxml2-dev \
libxmlsec1-dev \
libxmlsec1-openssl && \
rm -rf /var/lib/apt/lists/*
# Silence pip warnings about running as root in a container
ENV PIP_ROOT_USER_ACTION=ignore
# We want the most up-to-date stable pip release
RUN pip install --upgrade pip
ENV PYTHONUNBUFFERED=1
# Give the "root" group the same permissions AS the "root" user on /etc/passwd
# Give the "root" group the same permissions as the "root" user on /etc/passwd
# to allow a user belonging to the root group to add new users; typically the
# docker user (see entrypoint).
RUN chmod g=u /etc/passwd
@@ -39,11 +41,7 @@ COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satos
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"]
# ---- Development image ----
FROM common AS development
# Install curl (for healthchecks)
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && apt-get install -qy curl
FROM common as development
# Playwright browsers
ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers
@@ -69,15 +67,14 @@ COPY ./src/satosa /app/
USER ${DOCKER_USER}
# ---- Production image (keep last so it is the default target) ----
FROM common AS production
FROM common as production
# Copy oidc2fer application (see .dockerignore)
COPY ./src/satosa /app/
WORKDIR /app
# Uninstall pip, setuptools and wheel after installation to reduce attack surface
RUN pip install . && pip uninstall -y setuptools wheel pip
RUN pip install .
# Switch to unprivileged user
USER ${DOCKER_USER}
+1 -8
View File
@@ -57,19 +57,12 @@ number and date.
## Deploying a release to production (DINUM instance)
1. Make sure the release you want to deploy has been built and appears on
https://github.com/proconnect-gouv/oidc2fer/pkgs/container/oidc2fer
https://hub.docker.com/r/lasuite/oidc2fer/tags .
2. Edit `image/tag` at the top of
`src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl`.
3. Commit and push to `main`.
4. Update the `production` tag and push it.
## Environment variables
| variable | usage |
| --- | --- |
| `LOG_LEVEL` | Sets the log level for the root logger, i.e. the default. Defaults to `INFO`. |
| `LOG_LEVELS` | A JSON object that can be used to set log levels for specific loggers, e.g. `{"satosa.backends.saml2": "DEBUG"}`. Defaults to `{}`. |
## Contributing
This project is intended to be community-driven, so please, do not hesitate to
-1230
View File
File diff suppressed because it is too large Load Diff
-125
View File
@@ -1,125 +0,0 @@
https://idp1.agroparistech.fr/idp/shibboleth
https://idpv3.univ-amu.fr/idp/shibboleth
https://idp2.amue.fr/idp/shibboleth
https://idp.univ-avignon.fr/idp/shibboleth
https://idp.bnu.fr/idp/shibboleth
https://sso.bordeaux-inp.fr/idp/shibboleth
https://idp.enitab.fr/idp/shibboleth
https://idp2.brgm.fr/idp/shibboleth
https://auth.centrale-marseille.fr/idp/shibboleth
https://idp.ec-nantes.fr/idp/shibboleth
https://sso-ciation-saclay.centralesupelec.fr/idp/shibboleth
https://idp4.cereq.fr/idp/shibboleth
https://idp.cirad.fr/idp/shibboleth
https://janus.cnrs.fr/idp
https://identification.univ-toulouse.fr
https://idp.crous-reims.fr/idp/shibboleth
https://identites.ec-lyon.fr/idp/shibboleth
https://idp-ecole-air.renater.fr/idp/shibboleth
https://shibboleth03.chartes.psl.eu/idp/shibboleth
https://idp.enpc.fr/saml/metadata
https://idp.marseille.archi.fr/idp/shibboleth
https://idp.paris-malaquais.archi.fr/idp/shibboleth
https://idp.ensam.eu/idp/shibboleth
https://ident-shib.ensc-rennes.fr/idp/shibboleth
https://auth.sso.vet-alfort.fr/saml/metadata
https://federation.ens.psl.eu/idp/shibboleth
https://idp1.ens-paris-saclay.fr/idp/shibboleth
https://idp.ehesp.fr/idp/shibboleth
https://idp.ens-lyon.fr/idp/shibboleth
https://idp.ens-rennes.fr/idp/shibboleth
https://idp.rennes.archi.fr/idp/shibboleth
https://idp2.ensai.fr/idp/shibboleth
https://idp.lyon.archi.fr/idp/shibboleth
https://identites.ensea.fr/idp/shibboleth
https://idp.ensfea.fr/idp/shibboleth
https://idp.ensma.fr/idp/shibboleth
https://idp.esaip.org/idp/shibboleth
https://vip.espci.fr/saml2/idp/metadata.php
https://idp-genci.renater.fr/idp/shibboleth
https://idp.renater.fr/idp/shibboleth
https://shibboleth.grenoble-inp.fr/idp/shibboleth
https://idp.college-de-france.fr/idp/shibboleth
https://idp.imt-atlantique.fr/idp/shibboleth
https://shib.mines-albi.fr/idp/shibboleth
https://multipass.imt-nord-europe.fr/idp/shibboleth
https://idp.inalco.fr/idp/shibboleth
https://idp.inha.fr/idp/shibboleth
https://authentification.inrae.fr/saml/metadata/idp
https://prod-idp.inria.fr
https://idp-insa-cvl.renater.fr/idp/shibboleth
https://idauthproxy.insa-lyon.fr/Saml2IDP/metadata
https://idp.insa-rennes.fr/idp/shibboleth
https://shibboleth.insa-rouen.fr/idp/shibboleth
https://srv-fii.insa-toulouse.fr/idp/shibboleth
https://identities.univ-jfc.fr/idp/prod
https://sso.ird.fr/idp/shibboleth
https://idp.isae.fr/idp/shibboleth
https://idp.institut-agro.fr/idp
https://apps.univ-lr.fr/idp/shibboleth
https://idp.univ-lemans.fr/idp/shibboleth
https://idp2.emse.fr/idp/shibboleth
urn:mace:cru.fr:federation:univ-nantes.fr
https://federation.unimes.fr/idp/shibboleth
https://idp-septa.onisep.fr/idp/shibboleth
https://idp.oca.eu/idp/shibboleth
https://shibboleth3.obspm.fr/idp/shibboleth
https://access-check.renater.fr/simplesaml/saml2/idp/metadata.php
https://idp.sciencespobordeaux.fr/idp/shibboleth
https://idp.sciencespo-lyon.fr/idp/shibboleth
https://idp.sigma-clermont.fr/idp/shibboleth
https://shibboleth.ens2m.fr/idp/shibboleth
https://idp.inp-toulouse.fr/idp/shibboleth
https://shibboleth.ube.fr/idp/shibboleth
urn:mace:cru.fr:federation:univ-ubs.fr
urn:mace:cru.fr:federation:univ-lyon1.fr
https://idp.uca.fr/idp/shibboleth
https://idp.univ-cotedazur.fr/idp/shibboleth
urn:mace:cru.fr:federation:univ-angers.fr
https://idp.univ-artois.fr/idp/shibboleth
https://shibboleth.univ-evry.fr/idp/shibboleth
https://idp.univ-orleans.fr/idp/shibboleth
https://federation3.univ-brest.fr/idp/shibboleth
https://idp4.unicaen.fr/idp/shibboleth
https://shibboleth.univ-corse.fr/idp/shibboleth
https://idp.uha.fr/idp/shibboleth
https://shib2.unc.nc/idp/shibboleth
https://idp.univ-lille.fr/idp/shibboleth
urn:mace:cru.fr:federation:unilim.fr
https://idp3.univ-lorraine.fr/idp/shibboleth
https://idp.univ-lyon2.fr/idp/shibboleth
https://idp.univ-lyon3.fr/idp/shibboleth
https://federation.umontpellier.fr/idp/shibboleth
https://idp.univ-pau.fr/idp/shibboleth
https://idp.univ-perp.fr/idp/shibboleth
http://idp.univ-poitiers.fr
https://federation.upf.pf/idp/shibboleth
https://identite.univ-reims.fr/idp/shibboleth
urn:mace:cru.fr:federation:univ-rennes1.fr
urn:mace:cru.fr:federation:univ-rouen.fr
https://idp-ng.univ-st-etienne.fr/idp/shibboleth
https://idp.unistra.fr/idp/shibboleth
https://federation.utbm.fr/idp/shibboleth
https://shibboleth3.utt.fr/idp/shibboleth
https://idp.univ-tln.fr/idp/shibboleth
https://idp.univ-tlse3.fr/idp/shibboleth
https://idp.univ-tours.fr/idp/shibboleth
https://shibboleth.csi.uvsq.fr/idp/shibboleth
https://shibboleth.univ-grenoble-alpes.fr/idp/shibboleth
https://idp.univ-eiffel.fr/idp/shibboleth
https://shib.univ-lehavre.fr/idp/shibboleth
https://idp1.univ-fcomte.fr/idp/shibboleth
urn:mace:cru.fr:federation:univ-paris1.fr
https://idp2.univ-paris8.fr/idp/shibboleth
https://idp.ent.dauphine.fr/idp/shibboleth
https://upnidp2.parisnanterre.fr/idp/shibboleth
https://idp.universite-paris-saclay.fr/idp
https://idp-v4.univ-montp3.fr/idp/shibboleth
https://idp.uphf.fr/idp/shibboleth
urn:mace:cru.fr:federation:uhb.fr
https://shibboleth.univ-savoie.fr/idp/shibboleth
https://idp.univ-paris13.fr/idp/shibboleth
https://idp3.ut-capitole.fr/idp/shibboleth
https://ruhnu.univ-tlse2.fr/idp/shibboleth
https://auth.uttop.fr/saml/metadata
https://papangue.vetagro-sup.fr/idp/shibboleth
-367
View File
@@ -1,367 +0,0 @@
3sr-grenoble.fr
admin.in2p3.fr
agro-bordeaux.fr
agroparistech.fr
agrotoulouse.fr
alsace.cnrs.fr
amue.fr
apc.in2p3.fr
artsetmetiers.fr
artsetmetiers.ma
atilf.fr
biocampus.cnrs.fr
bis-sorbonne.fr
bnu.fr
bordeaux-inp.fr
brgm.fr
caes.cnrs.fr
caesug.cnrs.fr
cbs.cnrs.fr
cc.in2p3.fr
ccsd.cnrs.fr
cebc.cnrs.fr
cefas.cnrs.fr
cefe.cnrs.fr
cefrepa.cnrs.fr
ceipi.edu
cemes.fr
cemipai.cnrs.fr
cenbg.in2p3.fr
centrale-med.fr
centralesupelec.fr
centre-cired.fr
cepam.cnrs.fr
cercec.cnrs.fr
cerege.fr
cereq.fr
cermav.cnrs.fr
cfee.cnrs.fr
chartes.psl.eu
cirad.fr
cirfc.fr
cirm-math.fr
clermont-auvergne-inp.fr
clermont.in2p3.fr
cnrs-bellevue.fr
cnrs-dir.fr
cnrs-imn.fr
cnrs-mrs.fr
cnrs-orleans.fr
cnrs.cnrs.fr
cnrs.fr
college-de-france.fr
cppm.in2p3.fr
crbm.cnrs.fr
crhea.cnrs.fr
crous-reims.fr
crpp.cnrs.fr
csnsm.in2p3.fr
cso.cnrs.fr
dauphine.eu
dauphine.fr
dauphine.psl.eu
doctorant.upf.pf
dr1.cnrs.fr
dr11.cnrs.fr
dr12.cnrs.fr
dr13.cnrs.fr
dr14.cnrs.fr
dr15.cnrs.fr
dr17.cnrs.fr
dr18.cnrs.fr
dr2.cnrs.fr
dr4.cnrs.fr
dr5.cnrs.fr
dr6.cnrs.fr
dr7.cnrs.fr
dr8.cnrs.fr
dsi.cnrs.fr
dt.insu.cnrs.fr
ec-lyon.fr
ec-nantes.fr
eccorev.fr
ecole-air.fr
ecotron.cnrs.fr
edu.ehesp.fr
edu.univ-paris13.fr
edu.univ-spn.fr
ehesp.fr
em-strasbourg.fr
emse.fr
enit.fr
enitab.fr
enpc.fr
ens-lyon.fr
ens-paris-saclay.fr
ens-rennes.fr
ens.psl.eu
ens.univ-artois.fr
ensai.fr
ensam.eu
ensc-rennes.fr
ensea.fr
enseeiht.fr
ensfea.fr
ensiacet.fr
ensma.fr
epicur.education
esaip.org
eskemm-numerique.fr
espci.fr
espci.psl.eu
etu.emse.fr
etu.umontpellier.fr
etu.umpv.fr
etu.unicaen.fr
etu.univ-lorraine.fr
etu.univ-montp3.fr
etu.univ-orleans.fr
etu.univ-rouen.fr
etu.univ-st-etienne.fr
etud.univ-angers.fr
etud.univ-jfc.fr
etud.univ-pau.fr
etud.univ-tln.fr
etud.univ-ubs.fr
etudiant.univ-lr.fr
etudiant.univ-perp.fr
etudiant.univ-reims.fr
ext.esaip.org
ext.isae-supaero.fr
ext.univ-jfc.fr
fmnt.fr
fondation-lehn.fr
fpp.cnrs.fr
france-bioinformatique.fr
fsab.cnrs.fr
ganil.fr
gate.cnrs.fr
genci.fr
genopole.cnrs.fr
genopolys.fr
geoazur.unice.fr
gredeg.cnrs.fr
grenoble-inp.fr
grenoble-inp.org
grenoble.cnrs.fr
gsrl.cnrs.fr
huma-num.fr
iap.fr
ibcp.fr
ibgc.cnrs.fr
ibl.cnrs.fr
ibs.fr
icfrc.fr
icgm.fr
icmcb-bordeaux.cnrs.fr
icmcb.cnrs.fr
icmpe.cnrs.fr
icsn.cnrs-gif.fr
idemec.cnrs.fr
idris.fr
iemn.fr
ifpindia.org
ifporient.org
igf.cnrs.fr
igh.cnrs.fr
igmm.cnrs.fr
igs.cnrs-mrs.fr
ijclab.in2p3.fr
ijm.fr
iker.cnrs.fr
imbe.fr
imev-mer.fr
imft.fr
imm.cnrs.fr
imnc.in2p3.fr
imt-atlantique.fr
imt-nord-europe.fr
in2p3.fr
inalco.fr
inha.fr
inist.fr
inp-toulouse.fr
inphyni.cnrs.fr
inrae.fr
inria.fr
insa-cvl.fr
insa-lyon.fr
insa-rennes.fr
insa-rouen.fr
insa-toulouse.fr
inv.univ-rouen.fr
ip2i.in2p3.fr
ipbs.fr
iphc.cnrs.fr
ipht.fr
ipmc.cnrs.fr
ipnl.in2p3.fr
ipno.in2p3.fr
ipsl.fr
ipst-cnam.fr
ipst.fr
ird.fr
irht.cnrs.fr
irim.cnrs.fr
irisa.fr
isa-lyon.fr
isae-supaero.fr
isae.fr
isc.cnrs.fr
ish-lyon.cnrs.fr
isv.cnrs-gif.fr
iutbayonne.univ-pau.fr
l2it.in2p3.fr
laas.fr
laet.ish-lyon.cnrs.fr
laet.msh-lse.fr
lal.in2p3.fr
lam.fr
lapp.in2p3.fr
lapth.cnrs.fr
latmos.ipsl.fr
lcc-toulouse.fr
lcts.cnrs.fr
legi.cnrs.fr
legs.cnrs.fr
let.ish-lyon.cnrs.fr
lgp.cnrs.fr
lip6.fr
liris.cnrs.fr
lis-lab.fr
lisa.ipsl.fr
listes.imev-mer.fr
llr.in2p3.fr
lma.cnrs-mrs.fr
lma.in2p3.fr
lmd.ipsl.fr
lmf.cnrs.fr
lncmi.cnrs.fr
locean.ipsl.fr
loria.fr
lp2ib.in2p3.fr
lpccaen.in2p3.fr
lpmmc.cnrs.fr
lpnhe.in2p3.fr
lpsc.in2p3.fr
lsce.ipsl.fr
lspm.cnrs.fr
lupm.in2p3.fr
lyon.archi.fr
map.cnrs.fr
marseille.archi.fr
math.cnrs.fr
mgx.cnrs.fr
mines-albi.fr
mines-stetienne.fr
mio.osupytheas.fr
misha.cnrs.fr
misha.fr
mom.fr
mri.cnrs.fr
msh-lse.fr
neel.cnrs.fr
obs-besancon.fr
obspm.fr
oca.eu
omega.in2p3.fr
onisep.fr
osupytheas.fr
pantheonsorbonne.fr
parisgeo.cnrs.fr
parisnanterre.fr
placamat.cnrs.fr
prestataire.renater.fr
primato.cnrs.fr
prism.cnrs.fr
promes.cnrs.fr
renater.fr
rennes.archi.fr
risc.cnrs.fr
sb-roscoff.fr
sciencespo-aix.fr
sciencespo-lyon.fr
sciencespobordeaux.fr
scpobx.fr
seatech.fr
sete.cnrs.fr
sigma-clermont.fr
student.isae-supaero.fr
subatech.in2p3.fr
supagro.fr
supmicrotech.fr
sys2diag.cnrs.fr
toulouse-inp.fr
tyl.in2p3.fr
u-bourgogne.fr
u-strasbg.fr
ube.fr
uca.fr
uha.fr
umontpellier.fr
umpv.fr
unc.nc
unicaen.fr
unice.fr
unilim.fr
unimes.fr
unistra.fr
univ-amu.fr
univ-angers.fr
univ-artois.fr
univ-avignon.fr
univ-brest.fr
univ-corse.fr
univ-cotedazur.fr
univ-eiffel.fr
univ-evry.fr
univ-fcomte.fr
univ-grenoble-alpes.fr
univ-jfc.fr
univ-lehavre.fr
univ-lemans.fr
univ-lille.fr
univ-lorraine.fr
univ-lr.fr
univ-lyon1.fr
univ-lyon2.fr
univ-lyon3.fr
univ-montp3.fr
univ-nantes.fr
univ-nc.nc
univ-orleans.fr
univ-paris1.fr
univ-paris13.fr
univ-paris8.fr
univ-pau.fr
univ-perp.fr
univ-poitiers.fr
univ-reims.fr
univ-rennes.fr
univ-rennes2.fr
univ-rouen.fr
univ-savoie.fr
univ-smb.fr
univ-spn.fr
univ-st-etienne.fr
univ-tln.fr
univ-tlse2.fr
univ-tlse3.fr
univ-toulouse.fr
univ-tours.fr
univ-ubs.fr
universite-paris-saclay.fr
upf.pf
uphf.fr
usias.fr
ut-capitole.fr
utbm.fr
utinam.cnrs.fr
utt.fr
uttop.fr
uvsq.fr
vacataire.upf.pf
vet-alfort.fr
vetagro-sup.fr
vjf.cnrs.fr
xlim.fr
+3 -10
View File
@@ -13,7 +13,7 @@ services:
BASE_URL: https://satosa.traefik.me
GUNICORN_CMD_ARGS: --workers=2
TEST_E2E: 1
#TEST_E2E_PC: 1
#TEST_E2E_AC: 1
OIDC_DB_URI: redis://redis/0
CLIENT_DB_JSON: |
{
@@ -30,7 +30,7 @@ services:
}
}
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/idps.xml
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
SAML2_ENTITY_ID: https://satosa.traefik.me/Saml2/proxy_saml2_backend.xml
env_file:
- env.d/development/common
@@ -40,13 +40,6 @@ services:
- ./docker/files/usr/local/etc/gunicorn/satosa.py:/usr/local/etc/gunicorn/satosa.py
depends_on:
- redis
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:8000/ping"]
interval: 60s
timeout: 5s
retries: 3
start_period: 30s
start_interval: 1s
oidc-test-client:
build: docker/oidc-test-client
@@ -73,7 +66,7 @@ services:
#OIDC_PROVIDER: https://oidc2fer-staging.beta.numerique.gouv.fr
OIDC_CLIENT_ID: oidc-test-client
OIDC_CLIENT_SECRET: oidc-test-secret
OIDC_SCOPES: openid,uid,given_name,usual_name,email,siret
OIDC_SCOPES: openid,uid,given_name,usual_name,email
extra_hosts:
- "oidc2fer.127.0.0.1.nip.io:host-gateway"
+1 -36
View File
@@ -1,5 +1,4 @@
import datetime
import json
import logging
import os
import sys
@@ -30,8 +29,6 @@ class RequestJSONFormatter(json_log_formatter.JSONFormatter):
url += f"?{record.args['q']}"
return {
"logger": record.name,
"level": record.levelname,
"remote_ip": record.args["h"],
"method": record.args["m"],
"path": url,
@@ -40,7 +37,7 @@ class RequestJSONFormatter(json_log_formatter.JSONFormatter):
"user_agent": record.args["a"],
"referer": record.args["f"],
"duration_in_ms": record.args["M"],
"pid": record.process,
"poppid": record.process,
}
@@ -58,23 +55,11 @@ class DefaultJSONFormatter(json_log_formatter.JSONFormatter):
payload: dict[str, str | int | float] = super().json_record(
message, extra, record
)
payload["logger"] = record.name
payload["level"] = record.levelname
payload["pid"] = record.process
return payload
class NoPingFilter(logging.Filter):
"""
Filters out /ping requests from the access log.
"""
def filter(self, record: logging.LogRecord) -> bool:
return not( record.args.get("m", "") == "GET"
and record.args.get("U", "") == "/ping"
and str(record.args.get("s", "")) == "200" )
bind = ["0.0.0.0:8000"]
name = "satosa"
python_path = "/app"
@@ -91,9 +76,6 @@ accesslog = "-"
errorlog = "-"
loglevel = os.environ.get("LOG_LEVEL", "INFO")
loglevels_json = os.environ.get("LOG_LEVELS", "{}")
loglevels = json.loads(loglevels_json)
logconfig_dict = {
"version": 1,
"disable_existing_loggers": True,
@@ -113,24 +95,7 @@ logconfig_dict = {
"handlers": ["json_request"],
"propagate": False,
"qualname": "gunicorn.access",
"filters": [NoPingFilter()],
},
"satosa.base": {
"level": "INFO",
},
"satosa.state": {
"level": "INFO",
},
"satosa.proxy_server": {
"level": "INFO",
},
"satosa.routing": {
"level": "INFO",
},
"satosa.frontends.ping": {
"level": "INFO",
},
**{k: {"level": v.upper()} for k, v in loglevels.items()},
},
"formatters": {
"json_request": {
+1 -1
View File
@@ -1,4 +1,4 @@
FROM python:3.14
FROM python:3.11
COPY . /app
+4 -2
View File
@@ -2,10 +2,13 @@ from flask import Flask, jsonify, request, session
from oic.oic import Client
from oic.utils.authn.client import CLIENT_AUTHN_METHOD
from oic import rndstr
from oic.oic.message import Claims, ClaimsRequest, RegistrationResponse
from oic.oic.message import RegistrationResponse
from oic.utils.http_util import Redirect
from oic.oic.message import AuthorizationResponse
import secrets
import webbrowser
import threading
import time
import logging
import os
@@ -49,7 +52,6 @@ def index():
"nonce": session["nonce"],
"redirect_uri": client.registration_response["redirect_uris"][0],
"state": session["state"],
"claims": ClaimsRequest(id_token=Claims(acr=None, amr=None)),
}
)
login_url = auth_req.request(client.authorization_endpoint)
+1 -1
View File
@@ -1,2 +1,2 @@
Flask==3.0.3
oic==1.7.0
oic==1.6.1
-37
View File
@@ -1,37 +0,0 @@
agro-bordeaux.fr
centrale-med.fr
clermont-auvergne-inp.fr
college-de-france.fr
ecole-air.fr
edu.univ-paris13.fr
edu.univ-spn.fr
enitab.fr
enpc.fr
ens-rennes.fr
ens.univ-artois.fr
ensai.fr
esaip.org
eskemm-numerique.fr
ext.esaip.org
geoazur.unice.fr
inalco.fr
insa-cvl.fr
marseille.archi.fr
univ-artois.fr
obspm.fr
oca.eu
sigma-clermont.fr
unice.fr
univ-lyon1.fr
univ-paris13.fr
univ-spn.fr
uphf.fr
uvsq.fr
paris-malaquais.archi.fr
etud.univ-pau.fr
iutbayonne.univ-pau.fr
univ-pau.fr
cereq.fr
etud.univ-angers.fr
univ-angers.fr
-1
View File
@@ -1 +0,0 @@
paris-malaquais.archi.fr etud.univ-pau.fr iutbayonne.univ-pau.fr univ-pau.fr cereq.fr etud.univ-angers.fr univ-angers.fr
-162
View File
@@ -1,162 +0,0 @@
agroparistech.fr
agrotoulouse.fr
amue.fr
artsetmetiers.fr
artsetmetiers.ma
bis-sorbonne.fr
bnu.fr
bordeaux-inp.fr
brgm.fr
ceipi.edu
centralesupelec.fr
chartes.psl.eu
cirad.fr
cirfc.fr
cnrs-dir.fr
cnrs.fr
crous-reims.fr
dauphine.eu
dauphine.fr
dauphine.psl.eu
doctorant.upf.pf
ec-lyon.fr
ec-nantes.fr
edu.ehesp.fr
ehesp.fr
em-strasbourg.fr
emse.fr
enit.fr
ens-lyon.fr
ens-paris-saclay.fr
ens.psl.eu
ensam.eu
ensc-rennes.fr
ensea.fr
enseeiht.fr
ensfea.fr
ensiacet.fr
ensma.fr
epicur.education
espci.fr
espci.psl.eu
etu.emse.fr
etu.umontpellier.fr
etu.umpv.fr
etu.unicaen.fr
etu.univ-lorraine.fr
etu.univ-montp3.fr
etu.univ-orleans.fr
etu.univ-rouen.fr
etu.univ-st-etienne.fr
etud.univ-jfc.fr
etud.univ-tln.fr
etud.univ-ubs.fr
etudiant.univ-lr.fr
etudiant.univ-perp.fr
etudiant.univ-reims.fr
ext.isae-supaero.fr
ext.univ-jfc.fr
fondation-lehn.fr
genci.fr
grenoble-inp.fr
grenoble-inp.org
icfrc.fr
imft.fr
imt-atlantique.fr
imt-nord-europe.fr
inha.fr
inp-toulouse.fr
inrae.fr
inria.fr
insa-lyon.fr
insa-rennes.fr
insa-rouen.fr
insa-toulouse.fr
inv.univ-rouen.fr
ipst-cnam.fr
ipst.fr
ird.fr
irisa.fr
isae-supaero.fr
isae.fr
loria.fr
lyon.archi.fr
mines-albi.fr
mines-stetienne.fr
misha.fr
onisep.fr
pantheonsorbonne.fr
parisnanterre.fr
prestataire.renater.fr
renater.fr
rennes.archi.fr
sciencespo-aix.fr
sciencespo-lyon.fr
sciencespobordeaux.fr
scpobx.fr
seatech.fr
student.isae-supaero.fr
supagro.fr
supmicrotech.fr
toulouse-inp.fr
u-bourgogne.fr
u-strasbg.fr
ube.fr
uca.fr
uha.fr
umontpellier.fr
umpv.fr
unc.nc
unicaen.fr
unice.fr
unilim.fr
unimes.fr
unistra.fr
univ-amu.fr
univ-avignon.fr
univ-brest.fr
univ-corse.fr
univ-cotedazur.fr
univ-eiffel.fr
univ-evry.fr
univ-fcomte.fr
univ-grenoble-alpes.fr
univ-jfc.fr
univ-lehavre.fr
univ-lemans.fr
univ-lille.fr
univ-lorraine.fr
univ-lr.fr
univ-lyon2.fr
univ-lyon3.fr
univ-montp3.fr
univ-nantes.fr
univ-nc.nc
univ-orleans.fr
univ-paris1.fr
univ-paris8.fr
univ-perp.fr
univ-poitiers.fr
univ-reims.fr
univ-rennes.fr
univ-rennes2.fr
univ-rouen.fr
univ-savoie.fr
univ-smb.fr
univ-st-etienne.fr
univ-tln.fr
univ-tlse2.fr
univ-tlse3.fr
univ-toulouse.fr
univ-tours.fr
univ-ubs.fr
universite-paris-saclay.fr
upf.pf
usias.fr
ut-capitole.fr
utbm.fr
utt.fr
uttop.fr
vacataire.upf.pf
vet-alfort.fr
vetagro-sup.fr
+1 -1
Submodule secrets updated: 6a1f95c183...b0d485544d
+2 -3
View File
@@ -2,7 +2,6 @@ SAML2_BACKEND_CERT: ENC[AES256_GCM,data:uVs1uGoFfESz0eAkxvPUkSXQw6cCvzi+YfH7pbXL
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:svNEf0i2AB0fQlJlwJ4tkST7R0GGArPGw7iVGA4pRYedphZrRkeTVUoI3e/Ku5fTv2IXBK4NU5NB9OvFL8VaX1hN3xxWcW6htcOzSGPklee/U4j9fSnUvZzCHtCz1sYgCoQCPcQObfLA2S2H+CMekJpy53djxfjbZdo6+A+T1Lcqk/aJkl8IO0+LgfK2vlp7X5hR4BLS+fdVOrogqzlIrr7iumvSBTS8RY0dp87iLGcWmKCYLrvSieyneiC1VgYughl6LxcPLBTPSJFZBt0NLR3oUMcumBaRpvrlLxPihJbqyC4Jn+We0IKBMYmLCEBBLjx+J4EFLHaG6p3+SyUmLYNJMeOvvexR/qTaiuwUp/3gsD8PrwxFVn7Z3jeL5gX0ohCQyETNuLpAw47yNAlHZaZ11FcFpRUINZrPBG/myJk4i40UQ+AmWBPgS/SxmQj91hoUPw23VDTGWLKv/B5Xd48A3hEOKeA7PmGOfCfd7d9eOJP42dcqWyUypogELAJgF+Leci4q6T99fnIGlBahJK8yDltc4NU4kEAsACdIBZBK+Ezyu+n1hOtg9BEDOUeilSy1TAgfi/B9CQrFLU9cSo1qFPHxIkaRPV3IVuGfEaxNpVrv68RaicYCfeUWIcQ3h13ftPIQlZ6rNukC1pDugV4GrPTtapokV/Z8/8QU0BcRAmfDIniBlk+uP2ga8YDJ4c1FDl6KYQt2zyzFQACOoVPOm/VvffGzOl042iO0ibHAklZerFgbjsiUCpBcRi4dOFqMt6OkvdTldFYGOm+FADtVdJaRoUk8uXe13GCUASjJUCrMOmimEb6gKNYbm2u27kWBIlPMNmLlelVkEpmPCmAl2yLXiJhdxBu0YgHyqwqizKOumckoYditFDXkK52ZtANqwLaHNtGV+aB5dvxRlN5NhsUYr9zLmgv4bUkYL2lI5p5IFN0Lha0fDG105FbIoqmuKXxWJ7IL7MisQLW5DGzN29gWH/uh3A00b3jiEn/0HvEh+P/38t20/IP/l65Z7OZAf2VA1jpCv04lKPXYmvMbcXIROhWcA1yqJvdgiNIh8eWWt/1mFzjRHQ1vfiW5XEn1Yoln6Q++Q5RgnlraizuZWDGeKvP/b5+B15lgdx7keG5rmSpn8ogJD7Cey6epsVY84Qbqpvcp5i5EcL/cMs9NkN2Yf6EGKhczILOAwH2YypWnttIz8OrftjqPzbAP/XOXLFxNbFBlyzLlYwTcjNUIZtg9OwK3k0zDKeHT+q6xSMFdyf3Xpdoh+NJD1QYzoSzosWj/Yzxg9bZVVpKOb89fkGRpNtCuHEkprr0LJUCaPSArANE+MH7E6uisBVvIQwF9MzTf6apHoyUIi0Oq0dRpryvD/OBf0V0Zn75uitpoSqEZf+i8+L3s7dsFp1lEwywUZuZPxmk8kOIyPGNG6KmuFOr0j/6jPO4/05dIvYb/f/sSCjQo3E99whPx5Of9tmlU4eCM4Fwzpgu/w4uKy4f27W4LYosfpENHGRbaWI2XFmmNL1J6Lm6h1yZ+3ck0391zBZA0pp0tNIR5AEc5UBn8GQHrmk9NW2QLMqQLPmhgAD6unHeJY9iYMoCAMqc14c6gjF7gjBCrZd58qBTcNHw3p0GJXACgCm/OGqhRYFuWF0kJUugnTK9n1wfy3/HNE/adBnOqJWEkoP4n/VVL+eucECBtOX0jPFHmPsMYMSdwupCB32G7I36dQPYQsjbD+Sg9StAQxbXUIALRQ1cMaeHpUNSc48sE8ElrjZStNf46oWs+rDjhleWdOlpfsOJ+qwJrLLXFqBMeFtgXpzL4NnRoEGjFFK5l7EtfGDK0/ytPPmOwarjEDftaLmDTfBniZrt/WuuChe7MHbKRcGFkBYA2nbbBfMcpnsGBXpEMQl8LYZR9Sg8hMT0rFYtXj+h0ceCIfsa1HdV43NR/oos7Nf32rjLAu/jVUMNwWOKew5+Du61gmhBVpVNtvTe8+31dYMoQGQrIbxnHQmT1fu8LB0Am45+Zghk8sc0d+81xEzYxvYXMR/QMbwJnWGGI4e7XSUMA5k9xKXXNDeYNCP/e9BGhl9sS0XYX0HSrjX6rsVI5K1QRjT+CBiIqlS7q6bofZ8tsiYhRSh7pgYgvodsPKezrZCTTY4/Xyg9iLMtqtpqMnfqmbaYvwJ6r5LbWeR89tkjmlHcWcue/85Y2D/1COiGFRODIityykTTjacGj/MlYXPE3O20Lr1P1YP2lm22i9kM5jKuCiGbyMn8ZuFVQ30Hnwv2qH4k=,iv:itJR8JpZRrwhbQY/kTEURY28vyu1qex7GsRme9icZYw=,tag:JgkJOE+bdK19KjvdH/k1Ug==,type:str]
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:8I/blGdvSDc+Hy96s4OsULJTo9+qyF+8Z4mxA/S11kLQjhue9sRTp/2Q0Db/gw0fMibb8gwrRi4oH4BsHfXaNxtyPCxrgwmeCpaq0rvgrOn+czEDQGErf7QxHnzvsOMBqMygRWKk3aKLjZTNvfMeaQL9KSrtEgePrfUvykSIPwN4HwtNH9Tymq6xopAhgk9jWq5kzomCu6u4OCxz9Fp1GgTdj/gLplMWYeTyWZQFRPimZoBfoxhbih9qofw4uqmN8+iT/Fj9EOAUMsdYeI9i2GKoT/YRso8yipi8760teUwqoDntTVv2ExR4zDvhI5Z9jISyX3qAXls/bwmwAWSb+JIxPAwgbsMDwmPTHItG3Xr2NPkiBVWujMhg7duq+labguwUZelpqQnvnKbxWHm1+NGRS+VYpPQRvzRREh02ybDt7/yjQMSAhWOkDXzZf6WNQfEf5jguz3B6CA6PGAwz9gZX7JivP1O5ontaeULbF373VsOQPmn57qZirk39Ntg7S9tkt2voxilSBMkhDsSXC3Qa9veGnd+t+Jg/YCEamoJEJ85EBfPzgvr2s6Av9D8B2h/gruXCQVCm/Zr9BX8Lus8JmSohTeZUFVteabmxr4W0gwPJgb5Ki0HciKxGsE7ITA5SFFN4LdxsBHlvJ0aJ1pipYfkkpI3YdC45CI22b2gDNIqVamK8hpYn8bTP3jLWsO36M/wnDB6oKsFiTTb4HxNuWVzIshQG8Ua0xwuhizuvZRDuRPUe+gfaiy0Dqzo/RLX1C92TJ7tYzlpM5/u0n7YkY5+/IB2ljnmAC5Kj5z+kNxhTflX/8Z62WTPBZlzE+kJb9hgMQQ8t7jDk6RnpmrUhOKx7rzrFzI/qmXC9+8yHEhiCBI5Wn3R89uCwV0O6WAhIuG9zQiaSiCwDaS3DHCy4PgcUBdbh5tddJ6aazmM9xBZFcevy06gWKmdjbkg3sacjCpTTdnIT4hwxdISTRWtuyYj+pp1d/rs5426yadftPI21OQ1F062nSTKtyViP8PFxzppbCzpSUK5oDdL7wCX2+y8071GJqNipLw+hUS/1z9x7GvEs0Fy5ZOefoHShO/vS6CfXUYoPNpq9ZiAoXvLCRSfY8HEqfOF45hFJLJsVhaKXOe1t4mfHJxrl88NKZXRC3nvSdoqwP9MTdNuvTf86Gn4n+zd3qT07ARqjq4hlV3L69xBxAK/QFrxHagSWOE4Z/tHvYYEiohbn/F6J4k30uv5KnR5P2OpXGRiS5eNXzXdfW+DptBHttmJKtzxD4JJbWRP6kFaUZiCLQLyhZTWoPHmFSTphkxZ2MkqCx13eFTHA927/zehAYCU/miJ1JLATMYaD3mHWifEKRipfG406cF1Y11w27Of3fmhAhqO/7LeZX1a39NXKHW6sIk1Rz0mEaFT8tpBUUxdR1FVaj//MUc7QsvzaxT1O8JletttC8wlWx1mePS1IU49O0DyYcZn4BW8vVJFDz24N7ARb+WcajmsopZScgNwO6XqvDaH/j8mH/0eWCFzIMfW0+pUoCrrmAtoHQ/Z2Dx1j1Yhddxkae1dwoyWGFDqLJyjJ9Hq7Xpx9jQOGGP0mQ2TOw1zwNCzfnWV3MTXmLLwSMc4/ZpOxSqsmI9RlMPE8LeU+ee/jhINYntD/q0zykcoSLj07SfwnYBZPfZcnxNyc94fyrX6GYGfXIAmPR2/pryRtPyXLR3WK9SbL/8rGN50mO42QlvXK0azWRe6gMT4yHZP6V6d5Vqrte1tfhUf/DYuUC0on6qHW5TDrWw7QBdiUQeip4YhW42vgU2WjjNiPZF332uExy0pypO6cZTnsR/jCUZxFMd/IVKWyhAeJt/Wx1Jli1c1SNTigH7LCrSLyrsA2tmufRAcGXRzG2C0mjwofWb7zR1IGCZ0yoVPSt7HNpOY5WoBLpsbhXBodyYTmrSprxXu4cg/n/G8jbAo/xW0AriJolA5k6F9/DWD/tDnIawhwW4AqqeWDk1MmNoGOf/OMplDdwrpkmclVidIcNnaCML8iuKiPx4g+8mdOdkc/mqIP8zaSInRV1/IrIGGSGRwSfQ4wyRFGqC8fYckympShVAGbetOLXn5dd7S3MGlh6n/rgUecqYySs9ckN2Ti0F1g/2CMI5g1Tn4fF2dwOk/iKFLvsSt5Y/vLMTfjK7W+FSg8ImtLs/Jfbn0rrlMVjoBXB2e/yajmu7r+xneP0OeRja+oA1gGExodDmUa4zV6QEU8IFSMLdnqMtShDdRs/XT1YAHbrlS4swg=,iv:EJEMIEsraig+i+5PlieAwHS6XV5bP+wlxv6Wni/9Dws=,tag:DM1XLnEtTp0vFEjAD4u4ag==,type:str]
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:U0BoVcDN6/sNDST8epqmOzs5oWok6lRZ+hLo7O6/Mkz0cqB4rcHe/OOC9HTe39K5WUCD25Rfrb4lSeK0Finl9A==,iv:NM9Wjlx/llNc7Ws8DaNYy9dVq/oFEdlK5a/Alr5ZxVA=,tag:VT8GhiFxeI8AjdcKdRkEcQ==,type:str]
REDIS_PASSWORD: ENC[AES256_GCM,data:lf2Dadck+FkabNsliZCt+s3+fJsgwDyq4isod3mq1WM=,iv:R8Hed2qUe2hUbfILsh7yUf0vgLLLpQETeapr0h54D9w=,tag:+VTC3lf4fa+UFb9XDBgOSw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -45,8 +44,8 @@ sops:
VVlBdFVNZUx1c2p2cERZVFVLWldORzQKaS/7SUU+ueI+MVU/gZIPmr9QwpdVkbGi
SFpfPMtN4CzcSBC4QsFXm7AeUZdpBiJMCLWApHGaas5ai6djiv47rg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-18T15:20:42Z"
mac: ENC[AES256_GCM,data:dxjNp3+ttM6ky02H5lYB9Fp5pG6CeijTnLzaxzHbKTJooIJudv52e3BDG6ui2GeMZINTaGt+IOfpCp2DE+pVZdvShbgrXZ7K1tvwzBslhH4uk48qo4rds9IXDaqPQhbAtlNPhdPPsdrkUA2Wrp3OLDPhi2DsVy5B9mhe6nukrBM=,iv:dWBRiQkp+zCjcGFKyn7uFqVJivwBFP7tpbdyQOA4rT4=,tag:0n9fxsl5BkQglDzobozzRA==,type:str]
lastmodified: "2024-04-18T13:56:51Z"
mac: ENC[AES256_GCM,data:C/p3iSmwr7Tv4oqr1G0FxQ7z0kspFmFR7OsKkRsSLINQ+pvcpFAIjzloUoT32PO+QrBRRSmtGmE0CkmUHh7tEnUVB9q6GcPT/9OwQEqvqtmqx1vjQKNxdTt5zpe7GxLXoJywW1nhgehFweysIlT1r1jgraWidfQ17ZbSQU8ybg4=,iv:LFxTa39rTxfpE+9e5HCFkl6ggJTt1zJMvc745glky08=,tag:U5Z8/HdYE0ZikPEP7oVjzw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
+27 -60
View File
@@ -4,71 +4,38 @@ image:
tag: "latest"
satosa:
replicas: 2
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- redis-oidc
topologyKey: kubernetes.io/hostname
env:
- name: BASE_URL
value: https://oidc2fer.127.0.0.1.nip.io
- name: GUNICORN_CMD_ARGS
value: --workers=3
replicas: 1
envVars:
BASE_URL: https://oidc2fer.127.0.0.1.nip.io
GUNICORN_CMD_ARGS: --workers=3
- name: LOG_LEVEL
value: debug
LOG_LEVEL: debug
- name: SAML2_DISCOVERY_URL
value: https://discovery.renater.fr/test/
- name: SAML2_METADATA_URL
value: https://pub.federation.renater.fr/metadata/test/idps.xml
- name: SAML2_ENTITY_ID
value: https://oidc2fer.127.0.0.1.nip.io/Saml2/proxy_saml2_backend.xml
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
SAML2_ENTITY_ID: https://oidc2fer.127.0.0.1.nip.io/Saml2/proxy_saml2_backend.xml
- name: STATE_ENCRYPTION_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
- name: SAML2_BACKEND_CERT
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
- name: SAML2_BACKEND_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
- name: OIDC_FRONTEND_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
- name: REDIS_PASSWORD
valueFrom: { secretKeyRef: { name: oidc2fer, key: REDIS_PASSWORD } }
- name: OIDC_DB_URI
value: "redis://:$(REDIS_PASSWORD)@redis-oidc-master:6379/0"
- name: CLIENT_DB_JSON
value: |-
{
"oidc-test-client": {
"response_types": [
"id_token",
"code"
],
"redirect_uris": [
"https://oidc-test-client.traefik.me/redirect_uri",
"https://oidc-test-client.traefik.me:8443/redirect_uri"
],
"client_secret": "oidc-test-secret",
"token_endpoint_auth_method": "client_secret_post"
}
OIDC_DB_URI: "redis://:pass@redis-master:6379"
CLIENT_DB_JSON: |-
{
"oidc-test-client": {
"response_types": [
"id_token",
"code"
],
"redirect_uris": [
"https://oidc-test-client.traefik.me/redirect_uri",
"https://oidc-test-client.traefik.me:8443/redirect_uri"
],
"client_secret": "oidc-test-secret",
"token_endpoint_auth_method": "client_secret_post"
}
- name: SIRET_MAP
value: |-
{
"https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010"
}
}
ingress:
enabled: true
@@ -1,191 +1,27 @@
image:
repository: ghcr.io/proconnect-gouv/oidc2fer
repository: lasuite/oidc2fer
pullPolicy: Always
tag: "v1.0.12"
tag: "v1.0.4"
satosa:
replicas: 4
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- redis-oidc
topologyKey: kubernetes.io/hostname
env:
- name: BASE_URL
value: https://renater.agentconnect.gouv.fr
- name: GUNICORN_CMD_ARGS
value: --workers=3
replicas: 2
envVars:
BASE_URL: https://renater.agentconnect.gouv.fr
GUNICORN_CMD_ARGS: --workers=3
- name: LOG_LEVEL
value: INFO
- name: LOG_LEVELS
value: '{ "satosa.backends.saml2": "DEBUG" }'
LOG_LEVEL: debug
- name: SAML2_DISCOVERY_URL
value: https://discovery.renater.fr/agentconnect/
- name: SAML2_METADATA_URL
value: https://pub.federation.renater.fr/metadata/fer/idps.xml
- name: SAML2_ENTITY_ID
value: https://renater.agentconnect.gouv.fr/Saml2/proxy_saml2_backend.xml
SAML2_DISCOVERY_URL: https://discovery.renater.fr/agentconnect/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml
SAML2_ENTITY_ID: https://renater.agentconnect.gouv.fr/Saml2/proxy_saml2_backend.xml
- name: STATE_ENCRYPTION_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
- name: SAML2_BACKEND_CERT
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
- name: SAML2_BACKEND_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
- name: OIDC_FRONTEND_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
- name: CLIENT_DB_JSON
valueFrom: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
CLIENT_DB_JSON: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
- name: REDIS_PASSWORD
valueFrom: { secretKeyRef: { name: oidc2fer, key: REDIS_PASSWORD } }
- name: OIDC_DB_URI
value: 'redis://:$(REDIS_PASSWORD)@redis-oidc-master:6379/0'
# As provided by RENATER
- name: SIRET_MAP
value: |-
{
"http://idp.univ-poitiers.fr": "19860856400375",
"https://apps.univ-lr.fr/idp/shibboleth": "19170032700015",
"https://auth.sso.vet-alfort.fr/saml/metadata": "19940608300014",
"https://auth.uttop.fr/saml/metadata": "19650048200019",
"https://authentification.inrae.fr/saml/metadata/idp": "18007003901803",
"https://federation.ens.psl.eu/idp/shibboleth": "19753459700012",
"https://federation.umontpellier.fr/idp/shibboleth": "13002979600013",
"https://federation.unimes.fr/idp/shibboleth": "93249157400012",
"https://federation.upf.pf/idp/shibboleth": "19987001500013",
"https://federation.utbm.fr/idp/shibboleth": "19900356700013",
"https://federation3.univ-brest.fr/idp/shibboleth": "94129831700012",
"https://idauthproxy.insa-lyon.fr/Saml2IDP/metadata": "19690192000013",
"https://ident-shib.ensc-rennes.fr/idp/shibboleth": "19350077400016",
"https://identification.univ-toulouse.fr": "13002132200016",
"https://identites.ec-lyon.fr/idp/shibboleth": "19690187000010",
"https://identites.ensea.fr/idp/shibboleth": "19951376300011",
"https://identities.univ-jfc.fr/idp/prod": "19811201300018",
"https://idp-genci.renater.fr/idp/shibboleth": "49468697500041",
"https://idp-ng.univ-st-etienne.fr/idp/shibboleth": "93850168100010",
"https://idp-septa.onisep.fr/idp/shibboleth": "18004302800653",
"https://idp-v4.univ-montp3.fr/idp/shibboleth": "93249089900014",
"https://idp.bnu.fr/idp/shibboleth": "18004406700015",
"https://idp.cirad.fr/idp/shibboleth": "33159627000016",
"https://idp.crous-reims.fr/idp/shibboleth": "18510200100327",
"https://idp.ec-nantes.fr/idp/shibboleth": "19440100600011",
"https://idp.ehesp.fr/idp/shibboleth": "13000362700010",
"https://idp.ens-lyon.fr/idp/shibboleth": "13000812100019",
"https://idp.ensam.eu/idp/shibboleth": "19753472000010",
"https://idp.ensfea.fr/idp/shibboleth": "19310143300012",
"https://idp.ensma.fr/idp/shibboleth": "19860073600021",
"https://idp.ent.dauphine.fr/idp/shibboleth": "19754692200018",
"https://idp.imt-atlantique.fr/idp/shibboleth": "18009202500121",
"https://idp.inha.fr/idp/shibboleth": "19754688000018",
"https://idp.inp-toulouse.fr/idp/shibboleth": "19311381800127",
"https://idp.insa-rennes.fr/idp/shibboleth": "19350097200016",
"https://idp.institut-agro.fr/idp": "13002622200013",
"https://idp.isae.fr/idp/shibboleth": "13000427800011",
"https://idp.lyon.archi.fr/idp/shibboleth": "19690184700018",
"https://idp.renater.fr/idp/shibboleth": "18008947600055",
"https://idp.rennes.archi.fr/idp/shibboleth": "19350089900029",
"https://idp.sciencespo-lyon.fr/idp/shibboleth": "19690173000024",
"https://idp.sciencespobordeaux.fr/idp/shibboleth": "19330192600039",
"https://idp.uca.fr/idp/shibboleth": "13002806100013",
"https://idp.uha.fr/idp/shibboleth": "19681166500013",
"https://idp.unistra.fr/idp/shibboleth": "13000545700010",
"https://idp.univ-avignon.fr/idp/shibboleth": "19840685200204",
"https://idp.univ-cotedazur.fr/idp/shibboleth": "13002566100013",
"https://idp.univ-eiffel.fr/idp/shibboleth": "13002612300013",
"https://idp.univ-lemans.fr/idp/shibboleth": "19720916600010",
"https://idp.univ-lille.fr/idp/shibboleth": "13002975400012",
"https://idp.univ-lyon2.fr/idp/shibboleth": "19691775100014",
"https://idp.univ-lyon3.fr/idp/shibboleth": "19692437700282",
"https://idp.univ-orleans.fr/idp/shibboleth": "19450855200016",
"https://idp.univ-perp.fr/idp/shibboleth": "19660437500010",
"https://idp.univ-tln.fr/idp/shibboleth": "19830766200017",
"https://idp.univ-tlse3.fr/idp/shibboleth": "93827139200012",
"https://idp.univ-tours.fr/idp/shibboleth": "19370800500478",
"https://idp.universite-paris-saclay.fr/idp": "13002602400054",
"https://idp1.agroparistech.fr/idp/shibboleth": "13000285000134",
"https://idp1.ens-paris-saclay.fr/idp/shibboleth": "19940607500036",
"https://idp1.univ-fcomte.fr/idp/shibboleth": "93810656400017",
"https://idp2.amue.fr/idp/shibboleth": "18004312700091",
"https://idp2.brgm.fr/idp/shibboleth": "58205614900120",
"https://idp2.emse.fr/idp/shibboleth": "18009202500105",
"https://idp2.univ-paris8.fr/idp/shibboleth": "19931827000014",
"https://idp3.univ-lorraine.fr/idp/shibboleth": "13001550600012",
"https://idp3.ut-capitole.fr/idp/shibboleth": "13003061200019",
"https://idp4.unicaen.fr/idp/shibboleth": "19141408500016",
"https://idpv3.univ-amu.fr/idp/shibboleth": "13001533200013",
"https://janus.cnrs.fr/idp": "18008901303720",
"https://multipass.imt-nord-europe.fr/idp/shibboleth": "18009202500139",
"https://papangue.vetagro-sup.fr/idp/shibboleth": "13000858400018",
"https://prod-idp.inria.fr": "18008904700013",
"https://ruhnu.univ-tlse2.fr/idp/shibboleth": "19311383400017",
"https://shib.mines-albi.fr/idp/shibboleth": "18009202500097",
"https://shib.univ-lehavre.fr/idp/shibboleth": "19762762300097",
"https://identite.univ-reims.fr/idp/shibboleth": "19511296600799",
"https://shib2.unc.nc/idp/shibboleth": "13000322100012",
"https://shibboleth.ens2m.fr/idp/shibboleth": "19250082500026",
"https://shibboleth.grenoble-inp.fr/idp/shibboleth": "19381912500017",
"https://shibboleth.insa-rouen.fr/idp/shibboleth": "19760165100023",
"https://shibboleth.ube.fr/idp/shibboleth": "93823061200013",
"https://shibboleth.univ-corse.fr/idp/shibboleth": "19202664900264",
"https://shibboleth.univ-evry.fr/idp/shibboleth": "19911975100014",
"https://shibboleth.univ-grenoble-alpes.fr/idp/shibboleth": "13002608100013",
"https://shibboleth.univ-savoie.fr/idp/shibboleth": "19730858800015",
"https://shibboleth03.chartes.psl.eu/idp/shibboleth": "19753478700043",
"https://shibboleth3.utt.fr/idp/shibboleth": "19101060200032",
"https://srv-fii.insa-toulouse.fr/idp/shibboleth": "19310152400018",
"https://sso-ciation-saclay.centralesupelec.fr/idp/shibboleth": "13002076100016",
"https://sso.bordeaux-inp.fr/idp/shibboleth": "13000635600013",
"https://sso.ird.fr/idp/shibboleth": "18000602500159",
"https://upnidp2.parisnanterre.fr/idp/shibboleth": "19921204400010",
"https://vip.espci.fr/saml2/idp/metadata.php": "20000068500012",
"urn:mace:cru.fr:federation:uhb.fr": "19350937900015",
"urn:mace:cru.fr:federation:unilim.fr": "19870669900321",
"urn:mace:cru.fr:federation:univ-nantes.fr": "13002974700016",
"urn:mace:cru.fr:federation:univ-paris1.fr": "19751717000019",
"urn:mace:cru.fr:federation:univ-rennes1.fr": "13003051300019",
"urn:mace:cru.fr:federation:univ-rouen.fr": "19761904200017",
"urn:mace:cru.fr:federation:univ-ubs.fr": "19561718800600",
"https://idp.marseille.archi.fr/idp/shibboleth": "19130236300020",
"https://idp.inalco.fr/idp/shibboleth": "19753488600092",
"https://idp.sigma-clermont.fr/idp/shibboleth": "13002191800011",
"https://idp.univ-artois.fr/idp/shibboleth": "19624401600016",
"https://idp2.ensai.fr/idp/shibboleth": "13001422800055",
"urn:mace:cru.fr:federation:univ-lyon1.fr": "19691774400019",
"https://idp.enitab.fr/idp/shibboleth": "19330203100011",
"https://idp.oca.eu/idp/shibboleth": "19061563300012",
"https://idp.univ-paris13.fr/idp/shibboleth": "19931238000017",
"https://idp.ens-rennes.fr/idp/shibboleth": "13001848400019",
"https://idp.uphf.fr/idp/shibboleth": "13002574500014",
"https://idp.college-de-france.fr/idp/shibboleth": "19753480300014",
"https://shibboleth.csi.uvsq.fr/idp/shibboleth": "19781944400013",
"https://idp.esaip.org/idp/shibboleth": "37920438100014",
"https://idp.eskn.fr/idp/shibboleth": "13002617200010",
"https://auth.centrale-marseille.fr/idp/shibboleth": "19133340000015",
"https://idp-insa-cvl.renater.fr/idp/shibboleth": "13001833600011",
"https://shibboleth3.obspm.fr/idp/shibboleth": "19753496900013",
"https://idp-ecole-air.renater.fr/idp/shibboleth": "13002454000010",
"https://idp.enpc.fr/saml/metadata": "19753501600020",
"https://idp.paris-malaquais.archi.fr/idp/shibboleth": "18009221500011",
"https://idp.univ-pau.fr/idp/shibboleth": "19640251500270",
"https://idp4.cereq.fr/idp/shibboleth": "18004303600037",
"urn:mace:cru.fr:federation:univ-angers.fr": "19490970100303"
}
resources:
requests:
memory: "256Mi"
cpu: "500m"
limits:
memory: "512Mi"
OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } }
ingress:
enabled: true
@@ -1,60 +1,27 @@
image:
repository: ghcr.io/proconnect-gouv/oidc2fer
repository: lasuite/oidc2fer
pullPolicy: Always
tag: "latest"
tag: "main"
satosa:
replicas: 2
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- redis-oidc
topologyKey: kubernetes.io/hostname
env:
- name: BASE_URL
value: https://oidc2fer-staging.beta.numerique.gouv.fr
- name: GUNICORN_CMD_ARGS
value: --workers=3
envVars:
BASE_URL: https://oidc2fer-staging.beta.numerique.gouv.fr
GUNICORN_CMD_ARGS: --workers=3
- name: LOG_LEVEL
value: DEBUG
- name: LOG_LEVELS
value: '{ "satosa.backends.saml2": "DEBUG" }'
LOG_LEVEL: debug
- name: SAML2_DISCOVERY_URL
value: https://discovery.renater.fr/test/
- name: SAML2_METADATA_URL
value: https://pub.federation.renater.fr/metadata/test/idps.xml
- name: SAML2_ENTITY_ID
value: https://oidc2fer-staging.beta.numerique.gouv.fr/Saml2/proxy_saml2_backend.xml-test
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
SAML2_ENTITY_ID: https://oidc2fer-staging.beta.numerique.gouv.fr/Saml2/proxy_saml2_backend.xml-test
- name: STATE_ENCRYPTION_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
- name: SAML2_BACKEND_CERT
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
- name: SAML2_BACKEND_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
- name: OIDC_FRONTEND_KEY
valueFrom: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
- name: CLIENT_DB_JSON
valueFrom: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
CLIENT_DB_JSON: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
- name: REDIS_PASSWORD
valueFrom: { secretKeyRef: { name: oidc2fer, key: REDIS_PASSWORD } }
- name: OIDC_DB_URI
value: "redis://:$(REDIS_PASSWORD)@redis-oidc-master:6379/0"
- name: SIRET_MAP
value: |-
{
"https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010"
}
OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } }
ingress:
enabled: true
+5
View File
@@ -0,0 +1,5 @@
apiVersion: v2
name: extra
description: A Helm chart to add some manifests to oidc2fer
type: application
version: 0.1.0
+7
View File
@@ -0,0 +1,7 @@
apiVersion: core.libre.sh/v1alpha1
kind: Redis
metadata:
name: redis
namespace: {{ .Release.Namespace | quote }}
spec:
disableAuth: false
@@ -1,3 +1,35 @@
repositories:
- name: bitnami
url: registry-1.docker.io/bitnamicharts
oci: true
releases:
- name: redis
installed: {{ eq .Environment.Name "dev" | toYaml }}
namespace: {{ .Namespace }}
chart: bitnami/redis
version: 18.19.2
values:
- auth:
password: pass
architecture: standalone
- name: extra
installed: {{ ne .Environment.Name "dev" | toYaml }}
namespace: {{ .Namespace }}
chart: ./extra
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- name: oidc2fer
version: {{ .Values.version }}
namespace: {{ .Namespace }}
chart: ./oidc2fer
values:
- env.d/{{ .Environment.Name }}/values.oidc2fer.yaml.gotmpl
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
environments:
dev:
values:
@@ -14,32 +46,4 @@ environments:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
---
repositories:
- name: bitnami
url: registry-1.docker.io/bitnamicharts
oci: true
releases:
- name: redis-oidc
namespace: {{ .Namespace }}
chart: bitnami/redis
version: 25.3.5
needs:
- oidc2fer
values:
- auth:
existingSecret: oidc2fer
existingSecretPasswordKey: REDIS_PASSWORD
architecture: standalone
image:
repository: bitnamilegacy/redis
- name: oidc2fer
version: {{ .Values.version }}
namespace: {{ .Namespace }}
chart: ./oidc2fer
values:
- env.d/{{ .Environment.Name }}/values.oidc2fer.yaml.gotmpl
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
+40
View File
@@ -50,6 +50,46 @@ app.kubernetes.io/name: {{ include "oidc2fer.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
transform dictionnary of environment variables
Usage : {{ include "oidc2fer.env.transformDict" .Values.envVars }}
Example:
envVars:
# Using simple strings as env vars
ENV_VAR_NAME: "envVar value"
# Using a value from a configMap
ENV_VAR_FROM_CM:
configMapKeyRef:
name: cm-name
key: "key_in_cm"
# Using a value from a secret
ENV_VAR_FROM_SECRET:
secretKeyRef:
name: secret-name
key: "key_in_secret"
*/}}
{{- define "oidc2fer.env.transformDict" -}}
{{- range $key, $value := . }}
- name: {{ $key | quote }}
{{- if $value | kindIs "map" }}
valueFrom: {{ $value | toYaml | nindent 4 }}
{{- else }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{/*
oidc2fer env vars
*/}}
{{- define "oidc2fer.common.env" -}}
{{- $topLevelScope := index . 0 -}}
{{- $workerScope := index . 1 -}}
{{- include "oidc2fer.env.transformDict" $workerScope.envVars -}}
{{- end }}
{{/*
Common labels
+4 -7
View File
@@ -1,6 +1,5 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "oidc2fer.fullname" . -}}
{{- $port := .Values.satosa.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
@@ -34,15 +33,13 @@ spec:
- host: {{ .Values.ingress.host | quote }}
http:
paths:
{{- range .Values.ingress.paths }}
- path: {{ .path | quote }}
pathType: {{ .pathType }}
- path: /
pathType: Prefix
backend:
service:
name: {{ $fullName }}-satosa
name: {{ include "oidc2fer.satosa.fullname" . }}
port:
number: {{ $port }}
{{- end }}
number: {{ .Values.satosa.service.port }}
{{- with .Values.ingress.customBackends }}
{{- toYaml . | nindent 10 }}
{{- end }}
@@ -1,3 +1,4 @@
{{- $envVars := include "oidc2fer.common.env" (list . .Values.satosa) -}}
{{- $fullName := include "oidc2fer.satosa.fullname" . -}}
{{- $component := "satosa" -}}
apiVersion: apps/v1
@@ -41,9 +42,10 @@ spec:
args:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.satosa.env }}
env: {{ toJson . }}
{{- end }}
env:
{{- if $envVars}}
{{- $envVars | indent 12 }}
{{- end }}
{{- with .Values.satosa.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
@@ -1,3 +1,4 @@
{{- $envVars := include "oidc2fer.common.env" (list . .Values.satosa) -}}
{{- $fullName := include "oidc2fer.satosa.fullname" . -}}
{{- $component := "satosa" -}}
apiVersion: v1
-1
View File
@@ -9,4 +9,3 @@ stringData:
SAML2_BACKEND_KEY: {{ .Values.SAML2_BACKEND_KEY | toYaml | indent 8 }}
OIDC_FRONTEND_KEY: {{ .Values.OIDC_FRONTEND_KEY | toYaml | indent 8 }}
CLIENT_DB_JSON: {{ .Values.CLIENT_DB_JSON | toYaml | indent 8 }}
REDIS_PASSWORD: {{ .Values.REDIS_PASSWORD | quote }}
+15 -9
View File
@@ -21,6 +21,10 @@ image:
nameOverride: ""
fullnameOverride: ""
## @skip commonEnvVars
commonEnvVars: &commonEnvVars
<<: []
## @param ingress.enabled whether to enable the Ingress or not
## @param ingress.className IngressClass to use for the Ingress
## @param ingress.host Host for the Ingress
@@ -29,9 +33,7 @@ ingress:
enabled: false
className: null
host: oidc2fer.example.com
paths:
- path: '/$|^/\.well-known/openid-configuration$|^/images/|^/Saml2/|^/OIDC/|^/ping$'
pathType: ImplementationSpecific # enables regex matching
path: /
## @param ingress.hosts Additional host to configure for the Ingress
hosts: []
# - chart-example.local
@@ -46,9 +48,6 @@ ingress:
## @param ingress.customBackends Add custom backends to ingress
customBackends: []
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
## @section satosa
satosa:
@@ -75,8 +74,15 @@ satosa:
## @param satosa.securityContext Configure satosa Pod security context
securityContext: null
## @param satosa.env Configure satosa container environment variables
env: []
## @param satosa.envVars Configure satosa container environment variables
## @extra satosa.envVars.BY_VALUE Example environment variable by setting value directly
## @extra satosa.envVars.FROM_CONFIGMAP.configMapKeyRef.name Name of a ConfigMap when configuring env vars from a ConfigMap
## @extra satosa.envVars.FROM_CONFIGMAP.configMapKeyRef.key Key within a ConfigMap when configuring env vars from a ConfigMap
## @extra satosa.envVars.FROM_SECRET.secretKeyRef.name Name of a Secret when configuring env vars from a Secret
## @extra satosa.envVars.FROM_SECRET.secretKeyRef.key Key within a Secret when configuring env vars from a Secret
## @skip satosa.envVars
envVars:
<<: *commonEnvVars
## @param satosa.podAnnotations Annotations to add to the satosa Pod
podAnnotations: {}
@@ -105,7 +111,7 @@ satosa:
## @param satosa.probes.readiness.initialDelaySeconds [nullable] Configure timeout for satosa readiness probe
probes:
liveness:
targetPort: 8000
targetPost: 8000
path: /ping
initialDelaySeconds: 10
#readiness:
-3
View File
@@ -31,6 +31,3 @@ attributes:
uid:
openid:
- uid
siret:
openid:
- siret
@@ -1 +0,0 @@
from .entity_id_to_siret_mapper import EntityIdToSiretMapper
@@ -1,23 +0,0 @@
import json
import logging
from satosa.micro_services.base import ResponseMicroService
logger = logging.getLogger(__name__)
class EntityIdToSiretMapper(ResponseMicroService):
def __init__(self, config, *args, **kwargs):
super().__init__(*args, **kwargs)
self.attribute = config.get("attribute", "siret")
self.mapping = json.loads(config.get("mapping_json", "{}"))
def process(self, context, data):
entity_id = data.auth_info.issuer
if entity_id in self.mapping:
siret = self.mapping[entity_id]
logger.info("Mapping entity ID %s to SIRET %s", entity_id, siret)
data.attributes[self.attribute] = siret
else:
logger.warning("No SIRET mapping found for entity ID %s", entity_id)
return super().process(context, data)
@@ -3,11 +3,11 @@ name: Saml2
config:
disco_srv: !ENV SAML2_DISCOVERY_URL
entityid_endpoint: true
mirror_force_authn: false
memorize_idp: false
use_memorized_idp_when_force_authn: false
send_requester_id: false
enable_metadata_reload: false
mirror_force_authn: 'no'
memorize_idp: 'no'
use_memorized_idp_when_force_authn: 'no'
send_requester_id: 'no'
enable_metadata_reload: 'no'
acs_selection_strategy: prefer_matching_host
sp_config:
name: Passerelle OIDC vers FER
@@ -43,7 +43,6 @@ config:
- uid
- given_name
- usual_name
- siret
# Set code/token lifetimes as short as possible
authorization_code_lifetime: 60
@@ -57,5 +56,8 @@ config:
- given_name
usual_name:
- usual_name
siret:
- siret
extra_id_token_claims:
oidc-test-client:
- acr
agent-connect:
- acr
@@ -13,8 +13,4 @@ config:
# later in the PrimaryIdentifier processor.
- ".+"
eduPersonAffiliation:
- "^faculty$"
- "^staff$"
- "^employee$"
- "^researcher$"
- "^teacher$"
@@ -1,5 +0,0 @@
module: oidc2fer.attribute_generators.EntityIdToSiretMapper
name: EntityIdToSiretMapper
config:
attribute: siret
mapping_json: !ENV SIRET_MAP
-1
View File
@@ -17,7 +17,6 @@ MICRO_SERVICES:
- plugins/microservices/primary_identifier.yaml
- plugins/microservices/static_attributes.yaml
- plugins/microservices/attribute_processor.yaml
- plugins/microservices/siret_mapping.yaml
LOGGING:
# All the logging configuration is done in the Gunicorn config, this is just
# here to avoid overwriting it with the default SATOSA config
+19 -17
View File
@@ -11,45 +11,47 @@ version = "0.1.0"
authors = [{ "name" = "DINUM", "email" = "dev@mail.numerique.gouv.fr" }]
classifiers = [
"Development Status :: 5 - Production/Stable",
"Intended Audience :: End Users/Desktop",
"Intended Audience :: System Administrators",
"Intended Audience :: Developers",
"License :: OSI Approved :: MIT License",
"Natural Language :: English",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.14",
"Programming Language :: Python :: 3.11",
]
description = "A gateway from RENATER's FER to ProConnect's OIDC provider, built on top of SATOSA."
description = "An application to handle contacts and teams."
keywords = ["OIDC", "SAML", "Shibboleth", "FER", "RENATER"]
license = { file = "LICENSE" }
readme = "README.md"
requires-python = ">=3.14"
requires-python = ">=3.11"
dependencies = [
"SATOSA==8.5.1",
"gunicorn==25.1.0",
"redis==7.2.1",
"JSON-log-formatter==1.1.1",
"WhiteNoise==6.12.0",
"SATOSA==8.4.0",
"gunicorn==22.0.0",
"redis==5.0.4",
"JSON-log-formatter==1.0",
"WhiteNoise==6.7.0",
]
[project.urls]
"Bug Tracker" = "https://github.com/proconnect-gouv/oidc2fer/issues/new"
"Changelog" = "https://github.com/proconnect-gouv/oidc2fer/blob/main/CHANGELOG.md"
"Homepage" = "https://github.com/proconnect-gouv/oidc2fer"
"Repository" = "https://github.com/proconnect-gouv/oidc2fer"
"Bug Tracker" = "https://github.com/numerique-gouv/oidc2fer/issues/new"
"Changelog" = "https://github.com/numerique-gouv/oidc2fer/blob/main/CHANGELOG.md"
"Homepage" = "https://github.com/numerique-gouv/oidc2fer"
"Repository" = "https://github.com/numerique-gouv/oidc2fer"
[project.optional-dependencies]
dev = [
"pylint==3.1.0",
"pytest-cov==4.1.0",
"pytest==9.0.2",
"ruff==0.15.4",
"pytest-playwright==0.7.2",
"pytest==8.0.2",
"ruff==0.2.2",
"pytest-playwright==0.4.4",
]
[tool.setuptools]
packages = { find = { where = ["."], exclude = ["tests"] } }
zip-safe = true
[tool.distutils.bdist_wheel]
universal = true
[tool.ruff]
exclude = [
".git",
+7
View File
@@ -0,0 +1,7 @@
#!/usr/bin/env python
"""Setup file for the oidc2fer module. All configuration stands in the setup.cfg file."""
# coding: utf-8
from setuptools import setup
setup()
@@ -1,42 +0,0 @@
import json
from satosa.context import Context
from satosa.internal import AuthenticationInformation, InternalData
from oidc2fer.attribute_generators import EntityIdToSiretMapper
class TestEntityIdToSiretMapper:
def create_mapper(self):
mapper = EntityIdToSiretMapper(
config={
"attribute": "siret",
"mapping_json": json.dumps(
{
"https://idp.example.fr": "12345678200010",
}
),
},
name="siret_mapper",
base_url="https://satosa.example.com",
)
mapper.next = lambda ctx, data: data
return mapper
def test_sets_siret_for_known_entityid(self):
mapper = self.create_mapper()
resp = InternalData(
auth_info=AuthenticationInformation(issuer="https://idp.example.fr")
)
ctx = Context()
mapper.process(ctx, resp)
assert resp.attributes["siret"] == "12345678200010"
def test_does_not_set_siret_for_unknown_entityid(self):
mapper = self.create_mapper()
resp = InternalData(
auth_info=AuthenticationInformation(issuer="https://unknown.example.fr")
)
ctx = Context()
mapper.process(ctx, resp)
assert "siret" not in resp.attributes
+13 -16
View File
@@ -20,7 +20,6 @@ def renater_test_idp(page, login):
def renater_wayf(page):
page.get_by_text("Veuillez sélectionner").click()
page.get_by_role("searchbox").fill("GIP RENATER - IdP de test")
page.get_by_role("option", name="GIP RENATER - IdP de test", exact=True).click()
page.get_by_role("button", name="Sélection").click()
@@ -49,7 +48,6 @@ def oidc_to_renater(
"email": expected_email,
"given_name": expected_given_name,
"usual_name": expected_usual_name,
"siret": "12345678200010",
}.items() <= userinfo.items()
return id_token
@@ -77,58 +75,57 @@ def test_oidc_to_renater_student_not_allowed(page: Page):
expect(page.locator("pre")).to_contain_text('"error":"access_denied"')
def pro_connect_login(page: Page, email):
def agent_connect_login(page: Page, email):
page.goto("https://fsa1v2.integ01.dev-agentconnect.fr/")
page.get_by_role("button", name="Sidentifier avec ProConnect").click()
page.get_by_label("Connexion à AgentConnect").click()
page.get_by_label("Email professionnel").fill(email)
page.get_by_test_id("interaction-connection-button").click()
def pro_connect_to_renater(
def agent_connect_to_renater(
page: Page,
login="enseignant1",
expected_email="georges.grospieds@formation.renater.fr",
expected_given_name="Georges",
expected_usual_name="Grospieds",
):
pro_connect_login(page, email=expected_email)
agent_connect_login(page, email=expected_email)
renater_wayf(page)
renater_test_idp(page, login=login)
expect(page.locator("body")).to_contain_text(expected_email)
text = page.inner_text("#userinfo")
text = page.inner_text("#json")
result = json.loads(text)
assert {
"uid": f"{login}@test-renater.fr",
"email": expected_email,
"given_name": expected_given_name,
"usual_name": expected_usual_name,
"siret": "12345678200010",
}.items() <= result.items()
return result
@pytest.mark.skipif(
"TEST_E2E_PC" not in os.environ, reason="Depends on staging deployment"
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
)
def test_pro_connect_to_renater_keeps_sub(browser: Browser):
def test_agent_connect_to_renater_keeps_sub(browser: Browser):
with browser.new_context().new_page() as page:
result1 = pro_connect_to_renater(page)
result1 = agent_connect_to_renater(page)
with browser.new_context().new_page() as page:
result2 = pro_connect_to_renater(page)
result2 = agent_connect_to_renater(page)
assert result1["sub"] == result2["sub"]
@pytest.mark.skipif(
"TEST_E2E_PC" not in os.environ, reason="Depends on staging deployment"
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
)
def test_pro_connect_to_renater_student_not_allowed(page: Page):
pro_connect_login(page, email="jean.dupont@formation.renater.fr")
def test_agent_connect_to_renater_student_not_allowed(page: Page):
agent_connect_login(page, email="jean.dupont@formation.renater.fr")
renater_wayf(page)
renater_test_idp(page, login="etudiant1")
expect(page.locator("body")).to_contain_text("access_denied")
expect(page.locator("body")).to_contain_text("Une erreur technique est survenue.")
@pytest.mark.skipif(
+5 -14
View File
@@ -26,8 +26,7 @@ fi
# https://github.com/kubernetes-sigs/kind/issues/2875
# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
kind --name=oidc2fer delete cluster || true
cat <<EOF | kind --name=oidc2fer create cluster --config=-
cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
@@ -36,6 +35,7 @@ containerdConfigPatches:
config_path = "/etc/containerd/certs.d"
nodes:
- role: control-plane
image: kindest/node:v1.27.3
kubeadmConfigPatches:
- |
kind: InitConfiguration
@@ -50,7 +50,9 @@ nodes:
hostPort: 443
protocol: TCP
- role: worker
image: kindest/node:v1.27.3
- role: worker
image: kindest/node:v1.27.3
EOF
# 3. Add the registry config to the nodes
@@ -62,7 +64,7 @@ EOF
# We want a consistent name that works from both ends, so we tell containerd to
# alias localhost:${reg_port} to the registry container when pulling images
REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
for node in $(kind --name=oidc2fer get nodes); do
for node in $(kind get nodes); do
docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
[host."http://${reg_name}:5000"]
@@ -89,17 +91,6 @@ data:
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF
# Patch the CoreDNS configmap to rewrite requests for *.127.0.0.1.nip.io to the Ingress Controller service
kubectl -n kube-system get configmap coredns -o yaml |
yq '.data.Corefile |= (
trim
| split("\n")
| .[-1] = " rewrite name regex .*\\.127\\.0\\.0\\.1\\.nip\\.io ingress-nginx-controller.ingress-nginx.svc.cluster.local answer auto\n"
+ .[-1]
| join("\n")
)' |
kubectl replace -f -
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl -n ingress-nginx create secret tls mkcert --key /tmp/127.0.0.1.nip.io+1-key.pem --cert /tmp/127.0.0.1.nip.io+1.pem
kubectl -n ingress-nginx patch deployments.apps ingress-nginx-controller --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--default-ssl-certificate=ingress-nginx/mkcert"}]'
-23
View File
@@ -1,23 +0,0 @@
https://idp.enitab.fr/idp/shibboleth
https://auth.centrale-marseille.fr/idp/shibboleth
https://idp4.cereq.fr/idp/shibboleth
https://idp-ecole-air.renater.fr/idp/shibboleth
https://idp.enpc.fr/saml/metadata
https://idp.marseille.archi.fr/idp/shibboleth
https://idp.paris-malaquais.archi.fr/idp/shibboleth
https://idp.ens-rennes.fr/idp/shibboleth
https://idp2.ensai.fr/idp/shibboleth
https://idp.esaip.org/idp/shibboleth
https://idp.college-de-france.fr/idp/shibboleth
https://idp.inalco.fr/idp/shibboleth
https://idp-insa-cvl.renater.fr/idp/shibboleth
https://idp.oca.eu/idp/shibboleth
https://shibboleth3.obspm.fr/idp/shibboleth
https://idp.sigma-clermont.fr/idp/shibboleth
urn:mace:cru.fr:federation:univ-lyon1.fr
urn:mace:cru.fr:federation:univ-angers.fr
https://idp.univ-artois.fr/idp/shibboleth
https://idp.univ-pau.fr/idp/shibboleth
https://shibboleth.csi.uvsq.fr/idp/shibboleth
https://idp.uphf.fr/idp/shibboleth
https://idp.univ-paris13.fr/idp/shibboleth