Compare commits
23 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 17289b1040 | |||
| 0580ec6d7e | |||
| 4b5bd5757c | |||
| 61680de401 | |||
| 0fc4450766 | |||
| db99364ae6 | |||
| 25c401c653 | |||
| 311d490566 | |||
| ba69d2d4bd | |||
| 82fc42d093 | |||
| 10fc48b9ad | |||
| b8fe38853f | |||
| e03dddde67 | |||
| 15064a0b45 | |||
| a2d275366c | |||
| 5c18904e39 | |||
| 4aae1dbec2 | |||
| 4d19d6ec1b | |||
| 7ecc4c404a | |||
| a940151661 | |||
| aa9af2a401 | |||
| 132e7a442d | |||
| 08d5a5ef4d |
@@ -16,8 +16,19 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/create-github-app-token@v1
|
||||
id: app-token
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
owner: ${{ github.repository_owner }}
|
||||
repositories: "oidc2fer,secrets"
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
submodules: recursive
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
@@ -31,7 +42,7 @@ jobs:
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
with:
|
||||
secret-file: .github/workflows/secrets.enc.env
|
||||
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Login to DockerHub
|
||||
@@ -55,13 +66,24 @@ jobs:
|
||||
- build-and-push
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/create-github-app-token@v1
|
||||
id: app-token
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
owner: ${{ github.repository_owner }}
|
||||
repositories: "oidc2fer,secrets"
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
submodules: recursive
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
-
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
with:
|
||||
secret-file: .github/workflows/secrets.enc.env
|
||||
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Call argocd github webhook
|
||||
|
||||
@@ -16,7 +16,7 @@ jobs:
|
||||
if: github.event_name == 'pull_request' # Makes sense only for pull requests
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: show
|
||||
@@ -39,7 +39,7 @@ jobs:
|
||||
github.event_name == 'pull_request'
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Check that the CHANGELOG has been modified in the current branch
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Check CHANGELOG max line length
|
||||
run: |
|
||||
max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L)
|
||||
@@ -65,7 +65,7 @@ jobs:
|
||||
working-directory: src/satosa
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@v3
|
||||
with:
|
||||
@@ -89,7 +89,7 @@ jobs:
|
||||
working-directory: src/satosa
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@v3
|
||||
with:
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
SOPS_PRIVATE=ENC[AES256_GCM,data:k9v8gJJ1ZTDbN8mR9NegKpCC8Kbv9ZqWDx3nhs6YAC6U2gxI0RDg5KRx0juym+5DPEVG4ck8y+ju/4uthRUZd0JkexEJX0WKFTo=,iv:hucEFAC/FTQsE4A+JmuY1PeJJcBRAWUqEul5wplVsJ8=,tag:uCYu26tM4hlheT8bCInA6A==,type:str]
|
||||
DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:gsq8AIbLENiXfOg=,iv:48QhtPLRq0yWpffQPxmkb1FLOkNQ2vp1/o+fnU6QM/o=,tag:s7ADhOZ314EWMc82kRvK+A==,type:str]
|
||||
DOCKER_HUB_USER=ENC[AES256_GCM,data:/+bIx0jMNg==,iv:Em3MIFQ8B457gwkRGB0JkRknpEQ1maiqW42gh9/DWDY=,tag:Hc8ZHDludj8up7r0tH2FRw==,type:str]
|
||||
ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:JHzooEYiqWdH4MjcNT3lL0fxY6YlfyhP6kM0kV6NPBnTtI46ip7nMXZoChkQT7CoPTof3IjMdJaD,iv:/CRQTZhnSi0UxgVd0crnvlVJfStIbYCG3cMTkejW0tU=,tag:p8QAWnwa+M4m9WSQMr7Obw==,type:str]
|
||||
ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:oQyuVQFPmhLIL14hWK0vUxo+r/QEj8hb2uY6bntlEyNqrFg7NOameWFn+dvCsN+C90HT9wD9yhu9aXsV92cJxDI=,iv:MVeeLpJU4taPqoGvJ8bqh6bfLHntRfqic/kIBPY/WV4=,tag:gJXkjUvSjrGjqPqCw6mRyA==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQy9CUXhYSTVoMnNGZWda\nUUJuYnd4VVM0YW1tRHhIUjNoQnZ3cEc5ZkdFCmg2a3dkcGNVSGFWd2hBa3pVUU5H\nVlMzSHd1VlBBdVZHTXA4S214UkQvSzQKLS0tIDVjTCtHSnJDZ2pOOG5ONW1zbTY1\neHZpRlZqVlhaVkpsR0VwRHBWZ0d4VjQKQUFraK9M2bFItVmQ7l9Z59SY9YkhGzy3\nON3028ZP4Xfvr+8FaQj0xS/5rnHTFIKLmW7bbvvPWeBW/LFvfxaUcw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWnVKM2hwdXdDYXhVUzh0\nSGxrUWNYa25KcWdvRUxWNHl1eU1UdjN3UVNNCkJ2Y3FZblBMWlpUKzE2bW1HZUJF\nZldzKzhrWVhHd0RKN01Ub3JLYkNlZGMKLS0tIEJDTy9OUVNOTVdKQ1Y4eGpqUnIv\neTRTa1UrU3Q1LzVkZWpPaXpsamRXVGcK3PBKBPIVV58HT6UGOovjzgxqlrhDo/S7\nhIye04YRyGNZamnff0gOA0n9wXrcvTyFYiv5o9CFQtfg082j7ii70w==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_1__map_recipient=age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWndDNDBoMGxuRFhTalJu\nNnZVYXBwTjhsY3BXZmV6ZW1jQkZ2bExIQmowClZCZmU5L3p4SmVXSmV1YnpXT2lm\nSFlpQ0o0cENtYVRvQ05vWE5XTCtNV3MKLS0tIG9oVDIrdElpd01JUEpRK1hmaWZq\ndE4yQks5dkRRbk9ZN2o3UHQxeHhlMXcKXBZxVw/yVb+qM+puQYOqqUHEsNggZ9LX\nkVOelk2UijLUHx9VCoerrJkfI3mUKCsNCvwnrL2bqezHgg+VhPhukw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_2__map_recipient=age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N1h1OW4wRVh5YkR5TkJ5\nQTlDK2RUSkIzWjJwUnp3b2todm5FVVJPWnlZCjhJc1JZcEQ3KzJYRVBQLytOM3JG\nYUFJdHZDTlN3RXpyZlluWU13c0VET1UKLS0tIGhJZmJZNUx5TWl1YnFJN0RWeEkv\nWjZoZzZiM2lkMlFabXEvMnhaYUdxY1UK3d/SWz3fcij+4W4tq1zRFK+4sCYHTCxS\nEuT/a+St02Eirrg9SW3b52T1RvZriOQAR/VUG09pjjGliaf/oW0pVQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_3__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
sops_lastmodified=2024-04-18T10:38:19Z
|
||||
sops_mac=ENC[AES256_GCM,data:HGGl4gcXnli8Z7P2P1MspygWRIHJqTLesf/QpiUUC6qH07Qx5bhN5fA1Oo3WTcz+fXkfAY8SV2RZb2CHxo/NouCiATw7vodX1ttwvsUE6RLgdjvMJl4ecWucZMiBdBtpFF4IHrKxswQg1FEdT8U/JP3Gw0TxxaRXIqskXkytp9E=,iv:fPcbne5lDa6+b+DqB+Q2pJ11EB9Vfpvqd9yextCjv7U=,tag:MkVoOpIApCIluFzsazl16w==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.8.1
|
||||
@@ -0,0 +1,3 @@
|
||||
[submodule "secrets"]
|
||||
path = secrets
|
||||
url = ../secrets
|
||||
-10
@@ -1,10 +0,0 @@
|
||||
creation_rules:
|
||||
# Using a single-key group to be able to use per-key comments,
|
||||
# see https://github.com/getsops/sops/issues/845#issuecomment-1364109772
|
||||
- key_groups:
|
||||
- age:
|
||||
- age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x # Jacques
|
||||
- age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e # Jonathan
|
||||
- age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj # github-repo
|
||||
- age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw # argocd
|
||||
|
||||
+12
-1
@@ -6,7 +6,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
|
||||
and this project adheres to
|
||||
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased]
|
||||
## [1.0.3] - 2024-09-02
|
||||
- set SAML signing algorithm to use SHA256 for compatibility with AccessCheck
|
||||
|
||||
## [1.0.2] - 2024-07-22
|
||||
- check the scope of returned eduPersonPrincipalNames
|
||||
- require "employee" value in eduPersonAffiliation
|
||||
|
||||
## [1.0.1] - 2024-06-04
|
||||
- enable JSON logging and LOG_LEVEL environment variable
|
||||
- add production configuration
|
||||
|
||||
## [1.0.0] - 2024-05-16
|
||||
- add Helm chart for deployment
|
||||
- provide Docker images on https://hub.docker.com/r/lasuite/oidc2fer
|
||||
- install SATOSA
|
||||
|
||||
@@ -47,6 +47,13 @@ Finally, you can check all available Make rules using:
|
||||
$ make help
|
||||
```
|
||||
|
||||
## Creating a release
|
||||
|
||||
1. Update `CHANGELOG.md` to change the `Unreleased` header to the new version
|
||||
number and date.
|
||||
2. Commit and push to `main`.
|
||||
3. Create a `vX.Y.Z` tag from `main` and push it.
|
||||
|
||||
## Contributing
|
||||
|
||||
This project is intended to be community-driven, so please, do not hesitate to
|
||||
|
||||
@@ -31,11 +31,13 @@ services:
|
||||
}
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_ENTITY_ID: https://satosa.traefik.me/Saml2/proxy_saml2_backend.xml
|
||||
env_file:
|
||||
- env.d/development/common
|
||||
- env.d/development/satosa
|
||||
volumes:
|
||||
- ./src/satosa:/app
|
||||
- ./docker/files/usr/local/etc/gunicorn/satosa.py:/usr/local/etc/gunicorn/satosa.py
|
||||
depends_on:
|
||||
- redis
|
||||
|
||||
|
||||
@@ -1,3 +1,65 @@
|
||||
import datetime
|
||||
import logging
|
||||
import os
|
||||
import sys
|
||||
|
||||
import json_log_formatter
|
||||
|
||||
|
||||
class RequestJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
"""
|
||||
Converts Gunicorn request log records to JSON.
|
||||
|
||||
See https://docs.gunicorn.org/en/stable/settings.html#access-log-format
|
||||
"""
|
||||
|
||||
def json_record(
|
||||
self,
|
||||
message: str,
|
||||
extra: dict[str, str | int | float],
|
||||
record: logging.LogRecord,
|
||||
) -> dict[str, str | int | float]:
|
||||
# Convert the log record to a JSON object.
|
||||
|
||||
response_time = datetime.datetime.strptime(
|
||||
record.args["t"], "[%d/%b/%Y:%H:%M:%S %z]"
|
||||
)
|
||||
url = record.args["U"]
|
||||
if record.args["q"]:
|
||||
url += f"?{record.args['q']}"
|
||||
|
||||
return {
|
||||
"remote_ip": record.args["h"],
|
||||
"method": record.args["m"],
|
||||
"path": url,
|
||||
"status": str(record.args["s"]),
|
||||
"time": response_time.isoformat(),
|
||||
"user_agent": record.args["a"],
|
||||
"referer": record.args["f"],
|
||||
"duration_in_ms": record.args["M"],
|
||||
"poppid": record.process,
|
||||
}
|
||||
|
||||
|
||||
class DefaultJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
"""
|
||||
Formats a log record as JSON, adding level and pid.
|
||||
"""
|
||||
|
||||
def json_record(
|
||||
self,
|
||||
message: str,
|
||||
extra: dict[str, str | int | float],
|
||||
record: logging.LogRecord,
|
||||
) -> dict[str, str | int | float]:
|
||||
payload: dict[str, str | int | float] = super().json_record(
|
||||
message, extra, record
|
||||
)
|
||||
payload["level"] = record.levelname
|
||||
payload["pid"] = record.process
|
||||
return payload
|
||||
|
||||
|
||||
bind = ["0.0.0.0:8000"]
|
||||
name = "satosa"
|
||||
python_path = "/app"
|
||||
@@ -11,4 +73,47 @@ timeout = 90
|
||||
accesslog = "-"
|
||||
# Using '-' for the error log file makes gunicorn log errors to stderr
|
||||
errorlog = "-"
|
||||
loglevel = "info"
|
||||
loglevel = os.environ.get("LOG_LEVEL", "INFO")
|
||||
|
||||
logconfig_dict = {
|
||||
"version": 1,
|
||||
"disable_existing_loggers": True,
|
||||
"root": {"level": loglevel.upper(), "handlers": ["json_error"]},
|
||||
"loggers": {
|
||||
# The gunicorn.error and gunicorn.access loggers are preconfigured with
|
||||
# a handler and propagate=False, we need to override this with the
|
||||
# default values (no handlers and propagate=True)
|
||||
"gunicorn.error": {
|
||||
"level": "INFO",
|
||||
"handlers": ["json_error"],
|
||||
"propagate": False,
|
||||
"qualname": "gunicorn.error",
|
||||
},
|
||||
"gunicorn.access": {
|
||||
"level": "INFO",
|
||||
"handlers": ["json_request"],
|
||||
"propagate": False,
|
||||
"qualname": "gunicorn.access",
|
||||
},
|
||||
},
|
||||
"formatters": {
|
||||
"json_request": {
|
||||
"()": RequestJSONFormatter,
|
||||
},
|
||||
"json_error": {
|
||||
"()": DefaultJSONFormatter,
|
||||
},
|
||||
},
|
||||
"handlers": {
|
||||
"json_request": {
|
||||
"class": "logging.StreamHandler",
|
||||
"stream": sys.stdout,
|
||||
"formatter": "json_request",
|
||||
},
|
||||
"json_error": {
|
||||
"class": "logging.StreamHandler",
|
||||
"stream": sys.stdout,
|
||||
"formatter": "json_error",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
@@ -68,6 +68,12 @@ def oidc_callback():
|
||||
|
||||
assert aresp["state"] == session["state"]
|
||||
|
||||
if "error" in aresp:
|
||||
return jsonify(
|
||||
error_response=aresp.to_dict(),
|
||||
)
|
||||
|
||||
|
||||
code = aresp["code"]
|
||||
logging.info("got auth code=%s", code)
|
||||
|
||||
|
||||
Executable
+4
@@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
git submodule update --init --recursive
|
||||
git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'
|
||||
Submodule
+1
Submodule secrets added at 647b88689c
@@ -9,8 +9,11 @@ satosa:
|
||||
BASE_URL: https://oidc2fer.127.0.0.1.nip.io
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
|
||||
LOG_LEVEL: debug
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_ENTITY_ID: https://oidc2fer.127.0.0.1.nip.io/Saml2/proxy_saml2_backend.xml
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
../../../../secrets/numerique-gouv/oidc2fer/env/outscale-production/secrets.enc.yaml
|
||||
@@ -0,0 +1,32 @@
|
||||
image:
|
||||
repository: lasuite/oidc2fer
|
||||
pullPolicy: Always
|
||||
tag: "v1.0.2"
|
||||
|
||||
satosa:
|
||||
replicas: 2
|
||||
envVars:
|
||||
BASE_URL: https://renater.agentconnect.gouv.fr
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
|
||||
LOG_LEVEL: info
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/renater
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml
|
||||
SAML2_ENTITY_ID: https://renater.agentconnect.gouv.fr/Saml2/proxy_saml2_backend.xml
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
CLIENT_DB_JSON: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
|
||||
|
||||
OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } }
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
host: renater.agentconnect.gouv.fr
|
||||
className: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
|
||||
@@ -1,52 +0,0 @@
|
||||
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:uVs1uGoFfESz0eAkxvPUkSXQw6cCvzi+YfH7pbXLxAXxYhmiKf25JarZX2ur8au3pdOd/rz0mZGpC2mfN8Fh+3+a0hseuvhqTetiFlc7Gc84HTXnyUQFzZa4Rgk6LeKGB8TDLG+s0F46u75KrRdHrwSbthBQhtiZCmoc+JcqSKJfl9Kv9OVMXEPHUy3zYvIy32Gk/+BEt+J9eo3RT1ZmmyRZToWWgXe906n2Bhvm8q05OgHkbCqu29TGKBviwikWTa36aUWNVdWh6XW7CtOPjWDvjYbVgb3O/Vwmw3mPRGviuAK1WS+kzMyP5oYQsWC5F97R0XlhnKElxpIRycCz3m/YLShuM1xtStiiR4mym6mNi99YonQ6hbodHSij9R/udXyMLeC5QZM15XzWHGFA+NemqVMGZ2C/xIhHCNUscKvHzOiQ2RiTk9VxNZfSdkzEXe2gMbl/+o3hSj8usFJOZWgToiYN+oBXgP1KqRlwdPSysCB3hs6mysn/1WlILWXN+EOYJP1jLsv1T4dC3ajujmnmhCn3/EYVI4TKEM6nJNs2KxNqlsC2D4G2n8NDciZVUt5a82tXWW6/ROA5UZDFOILkCHvfk6nkTRZjcXWmtPmCgwy54TysJ1wLsIycAsd8MuBTD3d9SpYFHKNC74O30bJe8GqtKObvHg8Ycp36+oH3gs41Mv5H32DumkUF6FcMJtbOEOYoEiHtuMSVXzuIdr6ikYQsRBU4v0UUpJTdMl2W+tYB8NeWBdI4jYaR+xwLw4+gs/deXhE7USTlPZJDB6a4DValxm+p7dLmUr5McgdhyEAACmxzhiSl33ccV2dIQCMsk4RoBXCZGX10ElY9bMk0vLaB5/n6qQgP51onxOUeJ6poKj4wneIZ7WmvbBfAVFUHoCPMQemjEEk6jVza4la4yQUW9rCgo/Tpfb7e05A+ux0CvNKvhcJLfyxN+LwDOw5X4p80gdVO8aWKyE+Ue6GPQBMZ8Ma31jlX//4KeIVcjpZAdutp38vJ936Ezrowu0HbviC1f0pJWXBVw0G8DGtpgorYhkN3Biwzu30jMEcWJXFSPqBGH0U2I5D4IXsDX1rH3DAR5UOKMVbWJ72zUq99Uip0FiaY1IVZLvfkfbPHwVq3jmuiZ/nXn1HenmNlkYOmOtL5BnZ47gHgXiMgFx6YGMBY50pZvk8ISKcacP52N9ph3EkovJR3Uam4XrtbMV0v9AGHX9aXYF1uB37q+ifZ4KB0b91dbXIUxXMb7FrbZ/iDX56+yTzdxdnXHWsmcBtPNFHxo+QjZvk4+UWlvoahwLJMGlxtgk71TPF65ms8y4L5Qq1vL2BgGiKWARWmq7KnrmrXQQWRZAXQd0lfqhVo7GDhppJUKBgYSQ4rC0q6u2mEm9YJc/3vsudKkwTyoYfBOmmz2+xI8fdaFuzg9UWswG3n61HMFYVf8+WAmoS7Bo21ns+KiIOroGruYdExr5rJOPcsLiPEr/Qmk0M=,iv:VI5LR7U20u6jG2voQgbnKcXclbWnROASzoYYz9N8Qlc=,tag:r1hGWOZRaiBblWvntcdYzg==,type:str]
|
||||
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:svNEf0i2AB0fQlJlwJ4tkST7R0GGArPGw7iVGA4pRYedphZrRkeTVUoI3e/Ku5fTv2IXBK4NU5NB9OvFL8VaX1hN3xxWcW6htcOzSGPklee/U4j9fSnUvZzCHtCz1sYgCoQCPcQObfLA2S2H+CMekJpy53djxfjbZdo6+A+T1Lcqk/aJkl8IO0+LgfK2vlp7X5hR4BLS+fdVOrogqzlIrr7iumvSBTS8RY0dp87iLGcWmKCYLrvSieyneiC1VgYughl6LxcPLBTPSJFZBt0NLR3oUMcumBaRpvrlLxPihJbqyC4Jn+We0IKBMYmLCEBBLjx+J4EFLHaG6p3+SyUmLYNJMeOvvexR/qTaiuwUp/3gsD8PrwxFVn7Z3jeL5gX0ohCQyETNuLpAw47yNAlHZaZ11FcFpRUINZrPBG/myJk4i40UQ+AmWBPgS/SxmQj91hoUPw23VDTGWLKv/B5Xd48A3hEOKeA7PmGOfCfd7d9eOJP42dcqWyUypogELAJgF+Leci4q6T99fnIGlBahJK8yDltc4NU4kEAsACdIBZBK+Ezyu+n1hOtg9BEDOUeilSy1TAgfi/B9CQrFLU9cSo1qFPHxIkaRPV3IVuGfEaxNpVrv68RaicYCfeUWIcQ3h13ftPIQlZ6rNukC1pDugV4GrPTtapokV/Z8/8QU0BcRAmfDIniBlk+uP2ga8YDJ4c1FDl6KYQt2zyzFQACOoVPOm/VvffGzOl042iO0ibHAklZerFgbjsiUCpBcRi4dOFqMt6OkvdTldFYGOm+FADtVdJaRoUk8uXe13GCUASjJUCrMOmimEb6gKNYbm2u27kWBIlPMNmLlelVkEpmPCmAl2yLXiJhdxBu0YgHyqwqizKOumckoYditFDXkK52ZtANqwLaHNtGV+aB5dvxRlN5NhsUYr9zLmgv4bUkYL2lI5p5IFN0Lha0fDG105FbIoqmuKXxWJ7IL7MisQLW5DGzN29gWH/uh3A00b3jiEn/0HvEh+P/38t20/IP/l65Z7OZAf2VA1jpCv04lKPXYmvMbcXIROhWcA1yqJvdgiNIh8eWWt/1mFzjRHQ1vfiW5XEn1Yoln6Q++Q5RgnlraizuZWDGeKvP/b5+B15lgdx7keG5rmSpn8ogJD7Cey6epsVY84Qbqpvcp5i5EcL/cMs9NkN2Yf6EGKhczILOAwH2YypWnttIz8OrftjqPzbAP/XOXLFxNbFBlyzLlYwTcjNUIZtg9OwK3k0zDKeHT+q6xSMFdyf3Xpdoh+NJD1QYzoSzosWj/Yzxg9bZVVpKOb89fkGRpNtCuHEkprr0LJUCaPSArANE+MH7E6uisBVvIQwF9MzTf6apHoyUIi0Oq0dRpryvD/OBf0V0Zn75uitpoSqEZf+i8+L3s7dsFp1lEwywUZuZPxmk8kOIyPGNG6KmuFOr0j/6jPO4/05dIvYb/f/sSCjQo3E99whPx5Of9tmlU4eCM4Fwzpgu/w4uKy4f27W4LYosfpENHGRbaWI2XFmmNL1J6Lm6h1yZ+3ck0391zBZA0pp0tNIR5AEc5UBn8GQHrmk9NW2QLMqQLPmhgAD6unHeJY9iYMoCAMqc14c6gjF7gjBCrZd58qBTcNHw3p0GJXACgCm/OGqhRYFuWF0kJUugnTK9n1wfy3/HNE/adBnOqJWEkoP4n/VVL+eucECBtOX0jPFHmPsMYMSdwupCB32G7I36dQPYQsjbD+Sg9StAQxbXUIALRQ1cMaeHpUNSc48sE8ElrjZStNf46oWs+rDjhleWdOlpfsOJ+qwJrLLXFqBMeFtgXpzL4NnRoEGjFFK5l7EtfGDK0/ytPPmOwarjEDftaLmDTfBniZrt/WuuChe7MHbKRcGFkBYA2nbbBfMcpnsGBXpEMQl8LYZR9Sg8hMT0rFYtXj+h0ceCIfsa1HdV43NR/oos7Nf32rjLAu/jVUMNwWOKew5+Du61gmhBVpVNtvTe8+31dYMoQGQrIbxnHQmT1fu8LB0Am45+Zghk8sc0d+81xEzYxvYXMR/QMbwJnWGGI4e7XSUMA5k9xKXXNDeYNCP/e9BGhl9sS0XYX0HSrjX6rsVI5K1QRjT+CBiIqlS7q6bofZ8tsiYhRSh7pgYgvodsPKezrZCTTY4/Xyg9iLMtqtpqMnfqmbaYvwJ6r5LbWeR89tkjmlHcWcue/85Y2D/1COiGFRODIityykTTjacGj/MlYXPE3O20Lr1P1YP2lm22i9kM5jKuCiGbyMn8ZuFVQ30Hnwv2qH4k=,iv:itJR8JpZRrwhbQY/kTEURY28vyu1qex7GsRme9icZYw=,tag:JgkJOE+bdK19KjvdH/k1Ug==,type:str]
|
||||
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:8I/blGdvSDc+Hy96s4OsULJTo9+qyF+8Z4mxA/S11kLQjhue9sRTp/2Q0Db/gw0fMibb8gwrRi4oH4BsHfXaNxtyPCxrgwmeCpaq0rvgrOn+czEDQGErf7QxHnzvsOMBqMygRWKk3aKLjZTNvfMeaQL9KSrtEgePrfUvykSIPwN4HwtNH9Tymq6xopAhgk9jWq5kzomCu6u4OCxz9Fp1GgTdj/gLplMWYeTyWZQFRPimZoBfoxhbih9qofw4uqmN8+iT/Fj9EOAUMsdYeI9i2GKoT/YRso8yipi8760teUwqoDntTVv2ExR4zDvhI5Z9jISyX3qAXls/bwmwAWSb+JIxPAwgbsMDwmPTHItG3Xr2NPkiBVWujMhg7duq+labguwUZelpqQnvnKbxWHm1+NGRS+VYpPQRvzRREh02ybDt7/yjQMSAhWOkDXzZf6WNQfEf5jguz3B6CA6PGAwz9gZX7JivP1O5ontaeULbF373VsOQPmn57qZirk39Ntg7S9tkt2voxilSBMkhDsSXC3Qa9veGnd+t+Jg/YCEamoJEJ85EBfPzgvr2s6Av9D8B2h/gruXCQVCm/Zr9BX8Lus8JmSohTeZUFVteabmxr4W0gwPJgb5Ki0HciKxGsE7ITA5SFFN4LdxsBHlvJ0aJ1pipYfkkpI3YdC45CI22b2gDNIqVamK8hpYn8bTP3jLWsO36M/wnDB6oKsFiTTb4HxNuWVzIshQG8Ua0xwuhizuvZRDuRPUe+gfaiy0Dqzo/RLX1C92TJ7tYzlpM5/u0n7YkY5+/IB2ljnmAC5Kj5z+kNxhTflX/8Z62WTPBZlzE+kJb9hgMQQ8t7jDk6RnpmrUhOKx7rzrFzI/qmXC9+8yHEhiCBI5Wn3R89uCwV0O6WAhIuG9zQiaSiCwDaS3DHCy4PgcUBdbh5tddJ6aazmM9xBZFcevy06gWKmdjbkg3sacjCpTTdnIT4hwxdISTRWtuyYj+pp1d/rs5426yadftPI21OQ1F062nSTKtyViP8PFxzppbCzpSUK5oDdL7wCX2+y8071GJqNipLw+hUS/1z9x7GvEs0Fy5ZOefoHShO/vS6CfXUYoPNpq9ZiAoXvLCRSfY8HEqfOF45hFJLJsVhaKXOe1t4mfHJxrl88NKZXRC3nvSdoqwP9MTdNuvTf86Gn4n+zd3qT07ARqjq4hlV3L69xBxAK/QFrxHagSWOE4Z/tHvYYEiohbn/F6J4k30uv5KnR5P2OpXGRiS5eNXzXdfW+DptBHttmJKtzxD4JJbWRP6kFaUZiCLQLyhZTWoPHmFSTphkxZ2MkqCx13eFTHA927/zehAYCU/miJ1JLATMYaD3mHWifEKRipfG406cF1Y11w27Of3fmhAhqO/7LeZX1a39NXKHW6sIk1Rz0mEaFT8tpBUUxdR1FVaj//MUc7QsvzaxT1O8JletttC8wlWx1mePS1IU49O0DyYcZn4BW8vVJFDz24N7ARb+WcajmsopZScgNwO6XqvDaH/j8mH/0eWCFzIMfW0+pUoCrrmAtoHQ/Z2Dx1j1Yhddxkae1dwoyWGFDqLJyjJ9Hq7Xpx9jQOGGP0mQ2TOw1zwNCzfnWV3MTXmLLwSMc4/ZpOxSqsmI9RlMPE8LeU+ee/jhINYntD/q0zykcoSLj07SfwnYBZPfZcnxNyc94fyrX6GYGfXIAmPR2/pryRtPyXLR3WK9SbL/8rGN50mO42QlvXK0azWRe6gMT4yHZP6V6d5Vqrte1tfhUf/DYuUC0on6qHW5TDrWw7QBdiUQeip4YhW42vgU2WjjNiPZF332uExy0pypO6cZTnsR/jCUZxFMd/IVKWyhAeJt/Wx1Jli1c1SNTigH7LCrSLyrsA2tmufRAcGXRzG2C0mjwofWb7zR1IGCZ0yoVPSt7HNpOY5WoBLpsbhXBodyYTmrSprxXu4cg/n/G8jbAo/xW0AriJolA5k6F9/DWD/tDnIawhwW4AqqeWDk1MmNoGOf/OMplDdwrpkmclVidIcNnaCML8iuKiPx4g+8mdOdkc/mqIP8zaSInRV1/IrIGGSGRwSfQ4wyRFGqC8fYckympShVAGbetOLXn5dd7S3MGlh6n/rgUecqYySs9ckN2Ti0F1g/2CMI5g1Tn4fF2dwOk/iKFLvsSt5Y/vLMTfjK7W+FSg8ImtLs/Jfbn0rrlMVjoBXB2e/yajmu7r+xneP0OeRja+oA1gGExodDmUa4zV6QEU8IFSMLdnqMtShDdRs/XT1YAHbrlS4swg=,iv:EJEMIEsraig+i+5PlieAwHS6XV5bP+wlxv6Wni/9Dws=,tag:DM1XLnEtTp0vFEjAD4u4ag==,type:str]
|
||||
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:U0BoVcDN6/sNDST8epqmOzs5oWok6lRZ+hLo7O6/Mkz0cqB4rcHe/OOC9HTe39K5WUCD25Rfrb4lSeK0Finl9A==,iv:NM9Wjlx/llNc7Ws8DaNYy9dVq/oFEdlK5a/Alr5ZxVA=,tag:VT8GhiFxeI8AjdcKdRkEcQ==,type:str]
|
||||
CLIENT_DB_JSON: ENC[AES256_GCM,data:C1UpicWcfmngdnBqGBMujt8aUZ+WpmvGs652NgR3gvN+aeQ1mMFWAjjCza5q9jN2sIhMbmu/NPrcTvLx4UNE0MOIclrWWbPdxk2UyylU+7TEas6V7OrpJa1e5D8msSSAnPLI7YSrRILSrw6pktnM/07d7S8Q1fkLGxJYkRboTGbTSRGRSSMDFdyrdrGiTDnc3H0y7FQerzQ8caRgRvb1JW8OPpJ+Kpk3jfTyFCNwiyJnISb48QCQPQX2jg9GpXl6OaPg2bw5OnnM1hi/qL+43nR/wV1WnvH/Z+Quvwgj7RorpS1TWVeLIC6zo8o49XFg6aHoiKigma3U/8ZeccsxpYHdsqObQ/mrSyYS87YNHXbl5miwjevaBGIj4Vteg16Vgs6R4jd8qgan+zCCfu5OwGmmCFG4M6EnuWhvQ5YpDGjclBc+q5exSnrb2hVOsEpYB2iRpcd5KNexrhCBJQZVMWRtAhnGIsupImctHaFVcZsvDBUQ3tQ+glt8s59VNZlnXPGE7hnB4L60PxMUJVhL6p8pbQtNvm6fCUBORoU+FCXnfGoK70Cxc/O6THvIcMH8L12rM0XEe/QyJIqRrBUtQcXgTZo3cB+tLVKW/MwKMyCk4s41McyEjL420pFh8cJ19iHWw5vZ4pZ4lkdtyaf3OI5eIVrnKj6uU96/daJSTOJCUgdyj/Vve//4m+UN7qkbnbahPRt5MZIY6P6P/Qs0JeV1tUnhe4vU,iv:WWpqoOZaXwIt1uziAdxgYDNSqR0XG0n/QexgIRItbm0=,tag:gzhESbDbnySTMMoJQiQl/g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
|
||||
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
|
||||
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
|
||||
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
|
||||
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
|
||||
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
|
||||
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
|
||||
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
|
||||
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
|
||||
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
|
||||
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
|
||||
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
|
||||
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
|
||||
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
|
||||
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
|
||||
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
|
||||
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-22T15:46:36Z"
|
||||
mac: ENC[AES256_GCM,data:Nc8rhWtwyXedqESemEusiy2yeqtDbjlep0PAbQ7UW2+jdZZE/uOW1I7LvqTNOKwPwMwFgT0+PyuxOzcSrYtH24A/QSEA2P5kH9S7VXaAZmrWYANTI1pMzqaMGYdP2KQlgK3SqBPmJlG8OHYAHpYpFMIUduWiYCdgEZCfzGbzsfg=,iv:2so40E91bgVh2AL5D6Ju1CXP1Bd31kN95/86/Oinkg0=,tag:rHy//0ddChLA/dIN4P0EhA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
+1
@@ -0,0 +1 @@
|
||||
../../../../secrets/numerique-gouv/oidc2fer/env/staging/secrets.enc.yaml
|
||||
@@ -9,8 +9,11 @@ satosa:
|
||||
BASE_URL: https://oidc2fer-staging.beta.numerique.gouv.fr
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
|
||||
LOG_LEVEL: debug
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_ENTITY_ID: https://oidc2fer-staging.beta.numerique.gouv.fr/Saml2/proxy_saml2_backend.xml-test
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
|
||||
@@ -22,7 +22,7 @@ releases:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
|
||||
- name: oidc2fer
|
||||
version: 0.0.1 # {{ .Values.version }}
|
||||
version: {{ .Values.version }}
|
||||
namespace: {{ .Namespace }}
|
||||
chart: ./oidc2fer
|
||||
values:
|
||||
@@ -41,4 +41,9 @@ environments:
|
||||
- version: 0.0.1
|
||||
secrets:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
outscale-production:
|
||||
values:
|
||||
- version: 0.0.1
|
||||
secrets:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
|
||||
|
||||
@@ -22,9 +22,12 @@ attributes:
|
||||
acr:
|
||||
openid:
|
||||
- acr
|
||||
eppn:
|
||||
eduPersonPrincipalName:
|
||||
saml:
|
||||
- eduPersonPrincipalName
|
||||
eduPersonAffiliation:
|
||||
saml:
|
||||
- eduPersonAffiliation
|
||||
uid:
|
||||
openid:
|
||||
- uid
|
||||
|
||||
@@ -23,7 +23,7 @@ config:
|
||||
# - url: https://mdq.federation.renater.fr
|
||||
remote:
|
||||
- url: !ENV SAML2_METADATA_URL
|
||||
entityid: <base_url>/<name>/proxy_saml2_backend.xml
|
||||
entityid: !ENV SAML2_ENTITY_ID
|
||||
accepted_time_diff: 60
|
||||
allow_unknown_attributes: true
|
||||
service:
|
||||
@@ -38,6 +38,7 @@ config:
|
||||
height: '200'
|
||||
authn_requests_signed: true
|
||||
want_response_signed: true
|
||||
signing_algorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
|
||||
allow_unsolicited: true
|
||||
name_id_format:
|
||||
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
|
||||
name: AttributeAuthorization
|
||||
config:
|
||||
force_attributes_presence_on_allow: true
|
||||
attribute_allow:
|
||||
default: # any requester (SP/RP)
|
||||
default: # any issuer (IdP/OP)
|
||||
eduPersonPrincipalName:
|
||||
# The eduPersonPrincipalName value may have been filtered by the
|
||||
# AttributeFilter processor, if it did not match an expected scope
|
||||
# for the IdP.
|
||||
# We require it to be non-empty here, to avoid an unhandled error
|
||||
# later in the PrimaryIdentifier processor.
|
||||
- ".+"
|
||||
eduPersonAffiliation:
|
||||
- "^employee$"
|
||||
@@ -0,0 +1,12 @@
|
||||
module: satosa.micro_services.attribute_modifications.FilterAttributeValues
|
||||
name: AttributeFilter
|
||||
config:
|
||||
attribute_filters:
|
||||
# default rules for any IdentityProvider
|
||||
"":
|
||||
# default rules for any requester
|
||||
"":
|
||||
eduPersonPrincipalName:
|
||||
# enforce correct scope (the part after '@' must match one
|
||||
# of the scopes declared in the metadata)
|
||||
shibmdscope_match_scope:
|
||||
@@ -7,7 +7,7 @@ config:
|
||||
# names are the internal SATOSA names for the attributes as
|
||||
# defined in internal_attributes.yaml.
|
||||
ordered_identifier_candidates:
|
||||
- attribute_names: [eppn]
|
||||
- attribute_names: [eduPersonPrincipalName]
|
||||
|
||||
# The internal SATOSA attribute into which to place the primary
|
||||
# identifier value once found from the above configured ordered
|
||||
|
||||
@@ -12,32 +12,13 @@ FRONTEND_MODULES:
|
||||
- plugins/frontends/openid_connect_frontend.yaml
|
||||
- plugins/frontends/ping_frontend.yaml
|
||||
MICRO_SERVICES:
|
||||
- plugins/microservices/filter_attributes.yaml
|
||||
- plugins/microservices/attribute_authorization.yaml
|
||||
- plugins/microservices/primary_identifier.yaml
|
||||
- plugins/microservices/static_attributes.yaml
|
||||
- plugins/microservices/attribute_processor.yaml
|
||||
LOGGING:
|
||||
# All the logging configuration is done in the Gunicorn config, this is just
|
||||
# here to avoid overwriting it with the default SATOSA config
|
||||
version: 1
|
||||
formatters:
|
||||
simple:
|
||||
format: '[%(asctime)s] [%(levelname)s] [%(name)s.%(funcName)s] %(message)s'
|
||||
handlers:
|
||||
stdout:
|
||||
class: logging.StreamHandler
|
||||
stream: ext://sys.stdout
|
||||
level: DEBUG
|
||||
formatter: simple
|
||||
loggers:
|
||||
satosa:
|
||||
level: DEBUG
|
||||
saml2:
|
||||
level: DEBUG
|
||||
oidcendpoint:
|
||||
level: DEBUG
|
||||
pyop:
|
||||
level: DEBUG
|
||||
oic:
|
||||
level: DEBUG
|
||||
root:
|
||||
level: DEBUG
|
||||
handlers:
|
||||
- stdout
|
||||
incremental: true
|
||||
|
||||
@@ -26,6 +26,7 @@ dependencies = [
|
||||
"SATOSA==8.4.0",
|
||||
"gunicorn==22.0.0",
|
||||
"redis==5.0.4",
|
||||
"JSON-log-formatter==1.0",
|
||||
]
|
||||
|
||||
[project.urls]
|
||||
|
||||
@@ -2,7 +2,7 @@ import json
|
||||
import os
|
||||
|
||||
import pytest
|
||||
from playwright.sync_api import Browser, BrowserContext, Page, expect
|
||||
from playwright.sync_api import Browser, Page, expect
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
@@ -10,10 +10,12 @@ def browser_context_args():
|
||||
return {"locale": "fr-FR"}
|
||||
|
||||
|
||||
def renater_test_idp(page):
|
||||
page.get_by_label("Nom d'utilisateur").fill("etudiant1")
|
||||
page.get_by_label("Mot de passe").fill("etudiant1")
|
||||
def renater_test_idp(page, login):
|
||||
page.get_by_label("Nom d'utilisateur").fill(login)
|
||||
page.get_by_label("Mot de passe").fill(login)
|
||||
page.get_by_label("Afficher les informations qui vont être transférées").check()
|
||||
page.get_by_role("button", name="Connexion").click()
|
||||
page.get_by_role("button", name="Accepter").click()
|
||||
|
||||
|
||||
def renater_wayf(page):
|
||||
@@ -22,24 +24,30 @@ def renater_wayf(page):
|
||||
page.get_by_role("button", name="Sélection").click()
|
||||
|
||||
|
||||
def oidc_to_renater(context: BrowserContext):
|
||||
with context.new_page() as page:
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page)
|
||||
def oidc_to_renater(
|
||||
page: Page,
|
||||
login="enseignant1",
|
||||
expected_email="georges.grospieds@formation.renater.fr",
|
||||
expected_given_name="Georges",
|
||||
expected_usual_name="Grospieds",
|
||||
):
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login=login)
|
||||
|
||||
expect(page.locator("pre")).to_contain_text('"usual_name":"Dupont"')
|
||||
text = page.inner_text("pre")
|
||||
result = json.loads(text)
|
||||
expect(page.locator("pre")).to_contain_text('"usual_name":')
|
||||
text = page.inner_text("pre")
|
||||
result = json.loads(text)
|
||||
|
||||
id_token = result["access_token_response"]["id_token"]
|
||||
assert {"acr": "eidas1"}.items() <= id_token.items()
|
||||
userinfo = result["userinfo"]
|
||||
assert {
|
||||
"email": "jean.dupont@formation.renater.fr",
|
||||
"given_name": "Jean",
|
||||
"uid": "etudiant1@test-renater.fr",
|
||||
"usual_name": "Dupont",
|
||||
"sub": f"{login}@test-renater.fr",
|
||||
"uid": f"{login}@test-renater.fr",
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
}.items() <= userinfo.items()
|
||||
return id_token
|
||||
|
||||
@@ -47,43 +55,74 @@ def oidc_to_renater(context: BrowserContext):
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_oidc_to_renater(browser: Browser):
|
||||
id_token1 = oidc_to_renater(browser.new_context())
|
||||
id_token2 = oidc_to_renater(browser.new_context())
|
||||
def test_oidc_to_renater_keeps_sub(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
id_token1 = oidc_to_renater(page)
|
||||
with browser.new_context().new_page() as page:
|
||||
id_token2 = oidc_to_renater(page)
|
||||
|
||||
assert id_token1["sub"] == id_token2["sub"]
|
||||
|
||||
|
||||
def agent_connect_login(page: Page):
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_oidc_to_renater_student_not_allowed(page: Page):
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login="etudiant1")
|
||||
|
||||
expect(page.locator("pre")).to_contain_text('"error":"access_denied"')
|
||||
|
||||
|
||||
def agent_connect_login(page: Page, email):
|
||||
page.goto("https://fsa1v2.integ01.dev-agentconnect.fr/")
|
||||
page.get_by_label("Connexion à AgentConnect").click()
|
||||
page.get_by_label("Email professionnel").fill("jean.dupont@formation.renater.fr")
|
||||
page.get_by_label("Email professionnel").fill(email)
|
||||
page.get_by_test_id("interaction-connection-button").click()
|
||||
|
||||
|
||||
def agent_connect_to_renater(context: BrowserContext):
|
||||
with context.new_page() as page:
|
||||
agent_connect_login(page)
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page)
|
||||
def agent_connect_to_renater(
|
||||
page: Page,
|
||||
login="enseignant1",
|
||||
expected_email="georges.grospieds@formation.renater.fr",
|
||||
expected_given_name="Georges",
|
||||
expected_usual_name="Grospieds",
|
||||
):
|
||||
agent_connect_login(page, email=expected_email)
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login=login)
|
||||
|
||||
expect(page.locator("body")).to_contain_text("jean.dupont@formation.renater.fr")
|
||||
text = page.inner_text("#json")
|
||||
result = json.loads(text)
|
||||
assert {
|
||||
"email": "jean.dupont@formation.renater.fr",
|
||||
"given_name": "Jean",
|
||||
"uid": "etudiant1@test-renater.fr",
|
||||
"usual_name": "Dupont",
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
expect(page.locator("body")).to_contain_text(expected_email)
|
||||
text = page.inner_text("#json")
|
||||
result = json.loads(text)
|
||||
assert {
|
||||
"uid": f"{login}@test-renater.fr",
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
|
||||
)
|
||||
def test_agent_connect_to_renater(browser: Browser):
|
||||
result1 = agent_connect_to_renater(browser.new_context())
|
||||
result2 = agent_connect_to_renater(browser.new_context())
|
||||
def test_agent_connect_to_renater_keeps_sub(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
result1 = agent_connect_to_renater(page)
|
||||
with browser.new_context().new_page() as page:
|
||||
result2 = agent_connect_to_renater(page)
|
||||
|
||||
assert result1["sub"] == result2["sub"]
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
|
||||
)
|
||||
def test_agent_connect_to_renater_student_not_allowed(page: Page):
|
||||
agent_connect_login(page, email="jean.dupont@formation.renater.fr")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login="etudiant1")
|
||||
|
||||
expect(page.locator("body")).to_contain_text("Une erreur technique est survenue.")
|
||||
|
||||
Reference in New Issue
Block a user