Compare commits
48 Commits
v1.0.1
...
refacot-ci
| Author | SHA1 | Date | |
|---|---|---|---|
| f5e13bdb75 | |||
| c3204ef282 | |||
| ae2d4a573b | |||
| 5be05fe43e | |||
| f90df5c2c6 | |||
| 6bbcd95069 | |||
| b839c32b50 | |||
| 9b062aa27d | |||
| 4a2ece217b | |||
| a7577ff85e | |||
| 4e81e1e750 | |||
| c27ebfe6ae | |||
| d84f2b32d5 | |||
| 9cb67bfb87 | |||
| ba1774bdbf | |||
| cb8ff5d878 | |||
| a6e01c071e | |||
| 5a0f2da202 | |||
| 3b2d50d657 | |||
| 52d7de305c | |||
| 64a0d4dd3d | |||
| ffbd161e29 | |||
| ba1c14291d | |||
| 4c4ccc88ba | |||
| c1b33453c3 | |||
| 6cede0a7f2 | |||
| 3b518b9b3a | |||
| 039d9a12cc | |||
| 6424679b85 | |||
| 30c91e2345 | |||
| ad726a92ce | |||
| 7cc8fc18a2 | |||
| 17289b1040 | |||
| 0580ec6d7e | |||
| 4b5bd5757c | |||
| 61680de401 | |||
| 0fc4450766 | |||
| db99364ae6 | |||
| 25c401c653 | |||
| 311d490566 | |||
| ba69d2d4bd | |||
| 82fc42d093 | |||
| 10fc48b9ad | |||
| b8fe38853f | |||
| e03dddde67 | |||
| 15064a0b45 | |||
| a2d275366c | |||
| 5c18904e39 |
@@ -16,8 +16,19 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/create-github-app-token@v1
|
||||
id: app-token
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
owner: ${{ github.repository_owner }}
|
||||
repositories: "oidc2fer,secrets"
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
submodules: recursive
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
@@ -31,7 +42,7 @@ jobs:
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
with:
|
||||
secret-file: .github/workflows/secrets.enc.env
|
||||
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Login to DockerHub
|
||||
@@ -54,18 +65,9 @@ jobs:
|
||||
needs:
|
||||
- build-and-push
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
- uses: numerique-gouv/action-argocd-webhook-notification@main
|
||||
id: notify
|
||||
with:
|
||||
secret-file: .github/workflows/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Call argocd github webhook
|
||||
run: |
|
||||
data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
|
||||
sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
|
||||
curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL
|
||||
deployment_repo_path: "${{ github.repository }}"
|
||||
argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}"
|
||||
argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}"
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
name: Helmfile lint
|
||||
run-name: Helmfile lint
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- 'main'
|
||||
|
||||
jobs:
|
||||
helmfile-lint:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/helmfile/helmfile:v0.171.0
|
||||
steps:
|
||||
-
|
||||
uses: numerique-gouv/action-helmfile-lint@main
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
helmfile-src: "src/helm"
|
||||
repositories: "oidc2fer,secrets"
|
||||
@@ -16,7 +16,7 @@ jobs:
|
||||
if: github.event_name == 'pull_request' # Makes sense only for pull requests
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: show
|
||||
@@ -39,7 +39,7 @@ jobs:
|
||||
github.event_name == 'pull_request'
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Check that the CHANGELOG has been modified in the current branch
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Check CHANGELOG max line length
|
||||
run: |
|
||||
max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L)
|
||||
@@ -65,7 +65,7 @@ jobs:
|
||||
working-directory: src/satosa
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@v3
|
||||
with:
|
||||
@@ -89,7 +89,7 @@ jobs:
|
||||
working-directory: src/satosa
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@v3
|
||||
with:
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
SOPS_PRIVATE=ENC[AES256_GCM,data:k9v8gJJ1ZTDbN8mR9NegKpCC8Kbv9ZqWDx3nhs6YAC6U2gxI0RDg5KRx0juym+5DPEVG4ck8y+ju/4uthRUZd0JkexEJX0WKFTo=,iv:hucEFAC/FTQsE4A+JmuY1PeJJcBRAWUqEul5wplVsJ8=,tag:uCYu26tM4hlheT8bCInA6A==,type:str]
|
||||
DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:gsq8AIbLENiXfOg=,iv:48QhtPLRq0yWpffQPxmkb1FLOkNQ2vp1/o+fnU6QM/o=,tag:s7ADhOZ314EWMc82kRvK+A==,type:str]
|
||||
DOCKER_HUB_USER=ENC[AES256_GCM,data:/+bIx0jMNg==,iv:Em3MIFQ8B457gwkRGB0JkRknpEQ1maiqW42gh9/DWDY=,tag:Hc8ZHDludj8up7r0tH2FRw==,type:str]
|
||||
ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:JHzooEYiqWdH4MjcNT3lL0fxY6YlfyhP6kM0kV6NPBnTtI46ip7nMXZoChkQT7CoPTof3IjMdJaD,iv:/CRQTZhnSi0UxgVd0crnvlVJfStIbYCG3cMTkejW0tU=,tag:p8QAWnwa+M4m9WSQMr7Obw==,type:str]
|
||||
ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:oQyuVQFPmhLIL14hWK0vUxo+r/QEj8hb2uY6bntlEyNqrFg7NOameWFn+dvCsN+C90HT9wD9yhu9aXsV92cJxDI=,iv:MVeeLpJU4taPqoGvJ8bqh6bfLHntRfqic/kIBPY/WV4=,tag:gJXkjUvSjrGjqPqCw6mRyA==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQy9CUXhYSTVoMnNGZWda\nUUJuYnd4VVM0YW1tRHhIUjNoQnZ3cEc5ZkdFCmg2a3dkcGNVSGFWd2hBa3pVUU5H\nVlMzSHd1VlBBdVZHTXA4S214UkQvSzQKLS0tIDVjTCtHSnJDZ2pOOG5ONW1zbTY1\neHZpRlZqVlhaVkpsR0VwRHBWZ0d4VjQKQUFraK9M2bFItVmQ7l9Z59SY9YkhGzy3\nON3028ZP4Xfvr+8FaQj0xS/5rnHTFIKLmW7bbvvPWeBW/LFvfxaUcw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWnVKM2hwdXdDYXhVUzh0\nSGxrUWNYa25KcWdvRUxWNHl1eU1UdjN3UVNNCkJ2Y3FZblBMWlpUKzE2bW1HZUJF\nZldzKzhrWVhHd0RKN01Ub3JLYkNlZGMKLS0tIEJDTy9OUVNOTVdKQ1Y4eGpqUnIv\neTRTa1UrU3Q1LzVkZWpPaXpsamRXVGcK3PBKBPIVV58HT6UGOovjzgxqlrhDo/S7\nhIye04YRyGNZamnff0gOA0n9wXrcvTyFYiv5o9CFQtfg082j7ii70w==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_1__map_recipient=age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWndDNDBoMGxuRFhTalJu\nNnZVYXBwTjhsY3BXZmV6ZW1jQkZ2bExIQmowClZCZmU5L3p4SmVXSmV1YnpXT2lm\nSFlpQ0o0cENtYVRvQ05vWE5XTCtNV3MKLS0tIG9oVDIrdElpd01JUEpRK1hmaWZq\ndE4yQks5dkRRbk9ZN2o3UHQxeHhlMXcKXBZxVw/yVb+qM+puQYOqqUHEsNggZ9LX\nkVOelk2UijLUHx9VCoerrJkfI3mUKCsNCvwnrL2bqezHgg+VhPhukw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_2__map_recipient=age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N1h1OW4wRVh5YkR5TkJ5\nQTlDK2RUSkIzWjJwUnp3b2todm5FVVJPWnlZCjhJc1JZcEQ3KzJYRVBQLytOM3JG\nYUFJdHZDTlN3RXpyZlluWU13c0VET1UKLS0tIGhJZmJZNUx5TWl1YnFJN0RWeEkv\nWjZoZzZiM2lkMlFabXEvMnhaYUdxY1UK3d/SWz3fcij+4W4tq1zRFK+4sCYHTCxS\nEuT/a+St02Eirrg9SW3b52T1RvZriOQAR/VUG09pjjGliaf/oW0pVQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_3__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
sops_lastmodified=2024-04-18T10:38:19Z
|
||||
sops_mac=ENC[AES256_GCM,data:HGGl4gcXnli8Z7P2P1MspygWRIHJqTLesf/QpiUUC6qH07Qx5bhN5fA1Oo3WTcz+fXkfAY8SV2RZb2CHxo/NouCiATw7vodX1ttwvsUE6RLgdjvMJl4ecWucZMiBdBtpFF4IHrKxswQg1FEdT8U/JP3Gw0TxxaRXIqskXkytp9E=,iv:fPcbne5lDa6+b+DqB+Q2pJ11EB9Vfpvqd9yextCjv7U=,tag:MkVoOpIApCIluFzsazl16w==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.8.1
|
||||
@@ -0,0 +1,3 @@
|
||||
[submodule "secrets"]
|
||||
path = secrets
|
||||
url = ../secrets
|
||||
-10
@@ -1,10 +0,0 @@
|
||||
creation_rules:
|
||||
# Using a single-key group to be able to use per-key comments,
|
||||
# see https://github.com/getsops/sops/issues/845#issuecomment-1364109772
|
||||
- key_groups:
|
||||
- age:
|
||||
- age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x # Jacques
|
||||
- age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e # Jonathan
|
||||
- age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj # github-repo
|
||||
- age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw # argocd
|
||||
|
||||
@@ -6,6 +6,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
|
||||
and this project adheres to
|
||||
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [1.0.6] - 2025-03-11
|
||||
- upgrade to SATOSA 8.5.1
|
||||
- allow faculty, staff, employee, researcher, teacher affiliations
|
||||
|
||||
## [1.0.5] - 2025-03-06
|
||||
- add allowlist for URL paths to nginx ingress
|
||||
- allow customizing log levels per logger
|
||||
|
||||
## [1.0.4] - 2024-09-11
|
||||
- serve static files
|
||||
|
||||
## [1.0.3] - 2024-09-02
|
||||
- set SAML signing algorithm to use SHA256 for compatibility with AccessCheck
|
||||
|
||||
## [1.0.2] - 2024-07-22
|
||||
- check the scope of returned eduPersonPrincipalNames
|
||||
- require "employee" value in eduPersonAffiliation
|
||||
|
||||
## [1.0.1] - 2024-06-04
|
||||
- enable JSON logging and LOG_LEVEL environment variable
|
||||
- add production configuration
|
||||
|
||||
+1
-1
@@ -38,7 +38,7 @@ RUN mkdir -p /usr/local/etc/gunicorn
|
||||
COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satosa.py
|
||||
|
||||
# The default command runs gunicorn WSGI server in satosa's main module
|
||||
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py", "satosa.wsgi:app"]
|
||||
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"]
|
||||
|
||||
# ---- Development image ----
|
||||
FROM common as development
|
||||
|
||||
@@ -47,6 +47,29 @@ Finally, you can check all available Make rules using:
|
||||
$ make help
|
||||
```
|
||||
|
||||
## Creating a release
|
||||
|
||||
1. Update `CHANGELOG.md` to change the `Unreleased` header to the new version
|
||||
number and date.
|
||||
2. Commit and push to `main`.
|
||||
3. Create a `vX.Y.Z` tag from `main` and push it.
|
||||
|
||||
## Deploying a release to production (DINUM instance)
|
||||
|
||||
1. Make sure the release you want to deploy has been built and appears on
|
||||
https://hub.docker.com/r/lasuite/oidc2fer/tags .
|
||||
2. Edit `image/tag` at the top of
|
||||
`src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl`.
|
||||
3. Commit and push to `main`.
|
||||
4. Update the `production` tag and push it.
|
||||
|
||||
## Environment variables
|
||||
|
||||
| variable | usage |
|
||||
| --- | --- |
|
||||
| `LOG_LEVEL` | Sets the log level for the root logger, i.e. the default. Defaults to `INFO`. |
|
||||
| `LOG_LEVELS` | A JSON object that can be used to set log levels for specific loggers, e.g. `{"satosa.backends.saml2": "DEBUG"}`. Defaults to `{}`. |
|
||||
|
||||
## Contributing
|
||||
|
||||
This project is intended to be community-driven, so please, do not hesitate to
|
||||
|
||||
+2
-1
@@ -13,7 +13,7 @@ services:
|
||||
BASE_URL: https://satosa.traefik.me
|
||||
GUNICORN_CMD_ARGS: --workers=2
|
||||
TEST_E2E: 1
|
||||
#TEST_E2E_AC: 1
|
||||
#TEST_E2E_PC: 1
|
||||
OIDC_DB_URI: redis://redis/0
|
||||
CLIENT_DB_JSON: |
|
||||
{
|
||||
@@ -31,6 +31,7 @@ services:
|
||||
}
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_ENTITY_ID: https://satosa.traefik.me/Saml2/proxy_saml2_backend.xml
|
||||
env_file:
|
||||
- env.d/development/common
|
||||
- env.d/development/satosa
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import datetime
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
import sys
|
||||
@@ -29,6 +30,8 @@ class RequestJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
url += f"?{record.args['q']}"
|
||||
|
||||
return {
|
||||
"logger": record.name,
|
||||
"level": record.levelname,
|
||||
"remote_ip": record.args["h"],
|
||||
"method": record.args["m"],
|
||||
"path": url,
|
||||
@@ -37,7 +40,7 @@ class RequestJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
"user_agent": record.args["a"],
|
||||
"referer": record.args["f"],
|
||||
"duration_in_ms": record.args["M"],
|
||||
"poppid": record.process,
|
||||
"pid": record.process,
|
||||
}
|
||||
|
||||
|
||||
@@ -55,14 +58,27 @@ class DefaultJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
payload: dict[str, str | int | float] = super().json_record(
|
||||
message, extra, record
|
||||
)
|
||||
payload["logger"] = record.name
|
||||
payload["level"] = record.levelname
|
||||
payload["pid"] = record.process
|
||||
return payload
|
||||
|
||||
|
||||
class NoPingFilter(logging.Filter):
|
||||
"""
|
||||
Filters out /ping requests from the access log.
|
||||
"""
|
||||
|
||||
def filter(self, record: logging.LogRecord) -> bool:
|
||||
return not( record.args.get("m", "") == "GET"
|
||||
and record.args.get("U", "") == "/ping"
|
||||
and str(record.args.get("s", "")) == "200" )
|
||||
|
||||
|
||||
bind = ["0.0.0.0:8000"]
|
||||
name = "satosa"
|
||||
python_path = "/app"
|
||||
wsgi_app = "oidc2fer.wsgi:app"
|
||||
|
||||
# Run
|
||||
graceful_timeout = 90
|
||||
@@ -75,6 +91,9 @@ accesslog = "-"
|
||||
errorlog = "-"
|
||||
loglevel = os.environ.get("LOG_LEVEL", "INFO")
|
||||
|
||||
loglevels_json = os.environ.get("LOG_LEVELS", "{}")
|
||||
loglevels = json.loads(loglevels_json)
|
||||
|
||||
logconfig_dict = {
|
||||
"version": 1,
|
||||
"disable_existing_loggers": True,
|
||||
@@ -94,7 +113,24 @@ logconfig_dict = {
|
||||
"handlers": ["json_request"],
|
||||
"propagate": False,
|
||||
"qualname": "gunicorn.access",
|
||||
"filters": [NoPingFilter()],
|
||||
},
|
||||
"satosa.base": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.state": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.proxy_server": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.routing": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.frontends.ping": {
|
||||
"level": "INFO",
|
||||
},
|
||||
**{k: {"level": v.upper()} for k, v in loglevels.items()},
|
||||
},
|
||||
"formatters": {
|
||||
"json_request": {
|
||||
|
||||
@@ -68,6 +68,12 @@ def oidc_callback():
|
||||
|
||||
assert aresp["state"] == session["state"]
|
||||
|
||||
if "error" in aresp:
|
||||
return jsonify(
|
||||
error_response=aresp.to_dict(),
|
||||
)
|
||||
|
||||
|
||||
code = aresp["code"]
|
||||
logging.info("got auth code=%s", code)
|
||||
|
||||
|
||||
@@ -0,0 +1,93 @@
|
||||
# Principe de fonctionnement de la passerelle ProConnect vers RENATER (`OIDC2FER`)
|
||||
|
||||
## Vue d'ensemble
|
||||
|
||||
Ce premier schéma donne un aperçu des échanges entre :
|
||||
* un Fournisseur de Service ProConnecté (ex. https://pad.numerique.gouv.fr) ;
|
||||
* le service ProConnect (hébergé sur `https://auth.agentconnect.gouv.fr`) ;
|
||||
* la passerelle `OIDC2FER` (hébergé sur `https://renater.agentconnect.gouv.fr`) ;
|
||||
* le service de _discovery_ ou _Where Are You From (WAYF)_ RENATER qui permet à l'utilisateur de choisir son établissement de rattachement, hébergé sur https://discovery.renater.fr/agentconnect/ ;
|
||||
* le serveur d'identité SAML de l'établissement sélectionné (par exemple, https://cas.inria.fr).
|
||||
|
||||
``` mermaid
|
||||
sequenceDiagram
|
||||
participant FS as Fournisseur<br>de Service
|
||||
participant ProConnect
|
||||
box LightYellow
|
||||
participant OIDC2FER
|
||||
end
|
||||
participant WAYF as WAYF<br>RENATER
|
||||
participant IdP as IdP SAML
|
||||
|
||||
FS->>ProConnect: OIDC auth request
|
||||
ProConnect->>OIDC2FER: OIDC auth request
|
||||
OIDC2FER->>WAYF: discovery request
|
||||
WAYF->>OIDC2FER: IdP entityID
|
||||
OIDC2FER->>IdP: SAML AuthnRequest
|
||||
IdP->>OIDC2FER: SAML Assertion
|
||||
OIDC2FER->>ProConnect: OIDC tokens+userinfo
|
||||
ProConnect->>FS: OIDC tokens+userinfo
|
||||
```
|
||||
|
||||
## Détail des échanges
|
||||
|
||||
Noter que le schéma précédent ne reflète pas le détail des échanges entre l'utilisateur, son navigateur (qu'il est utile de distinguer pour illustrer que plusieurs échanges se font sans intervention humaine), et les différents services mentionnés. En voici une version exhaustive :
|
||||
|
||||
``` mermaid
|
||||
sequenceDiagram
|
||||
actor Utilisateur
|
||||
participant Navigateur
|
||||
participant FS as Fournisseur<br>de Service
|
||||
participant ProConnect
|
||||
box LightYellow
|
||||
participant OIDC2FER
|
||||
end
|
||||
participant WAYF as WAYF<br>RENATER
|
||||
participant IdP SAML
|
||||
|
||||
Utilisateur->>Navigateur: Saisie/clic URL FS
|
||||
Navigateur->>FS: Requête d'une page du FS
|
||||
opt si pas de session FS ouverte
|
||||
FS->>Utilisateur: Présentation page d'accueil avec bouton ProConnect
|
||||
Utilisateur->>FS: Clic bouton ProConnect
|
||||
FS->>Navigateur: Redirection OIDC vers ProConnect avec state, nonce
|
||||
Navigateur->>ProConnect: Requête GET avec state, nonce
|
||||
opt si pas de session ProConnect ouverte
|
||||
ProConnect->>Utilisateur: Présentation mire ProConnect
|
||||
Utilisateur->>ProConnect: Clic bouton RENATER, ou saisie "robert@univ-exemple.fr"
|
||||
ProConnect->>Navigateur: Redirection OIDC vers OIDC2FER avec state, nonce
|
||||
Navigateur->>OIDC2FER: Requête GET avec state, nonce
|
||||
OIDC2FER->>Navigateur: Redirection vers WAYF
|
||||
Navigateur->>WAYF: Requête GET
|
||||
opt si pas de préselection enregistrée dans le WAYF
|
||||
WAYF->>Utilisateur: Présentation liste d'établissements autorisés
|
||||
Utilisateur->>WAYF: Choix d'un établissement
|
||||
end
|
||||
WAYF->>Navigateur: Redirection vers OIDC2FER avec entityID IdP
|
||||
Navigateur->>OIDC2FER: Requête GET avec entityID IdP
|
||||
OIDC2FER->>Navigateur: Redirection vers IdP avec AuthnRequest SAML dans l'URL
|
||||
Navigateur->>IdP SAML: Requête GET avec AuthnRequest SAML dans l'URL
|
||||
opt si pas de session IdP ouverte
|
||||
IdP SAML->>Utilisateur: Présentation mire de connexion IdP
|
||||
Utilisateur->>IdP SAML: Saisie identifiants de connexion
|
||||
end
|
||||
IdP SAML->>Navigateur: Page avec formulaire contenant assertion SAML
|
||||
Navigateur->>OIDC2FER: Requête POST avec assertion SAML
|
||||
Note over OIDC2FER: Validation<br>eduPersonAffiliation
|
||||
Note over OIDC2FER: Conversion attributs<br>SAML vers OIDC
|
||||
OIDC2FER->>Navigateur: Redirection vers callback OIDC ProConnect avec authorization_code
|
||||
Navigateur->>ProConnect: Requête GET avec authorization_code
|
||||
ProConnect->>OIDC2FER: Demande tokens avec authorization_code
|
||||
OIDC2FER->>ProConnect: Tokens OIDC
|
||||
ProConnect->>OIDC2FER: Demande userinfo avec accessToken
|
||||
OIDC2FER->>ProConnect: userinfo
|
||||
end
|
||||
ProConnect->>Navigateur: Redirection vers callback OIDC FS avec authorization_code
|
||||
Navigateur->>FS: Requête GET avec authorization_code
|
||||
FS->>ProConnect: Demande tokens avec authorization_code
|
||||
ProConnect->>FS: Tokens OIDC
|
||||
FS->>ProConnect: Demande userinfo avec accessToken
|
||||
ProConnect->>FS: userinfo
|
||||
end
|
||||
FS->>Utilisateur: Contenu du service
|
||||
```
|
||||
Executable
+4
@@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
git submodule update --init --recursive
|
||||
git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'
|
||||
Submodule
+1
Submodule secrets added at b0d485544d
@@ -13,6 +13,7 @@ satosa:
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_ENTITY_ID: https://oidc2fer.127.0.0.1.nip.io/Saml2/proxy_saml2_backend.xml
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:bNRbntCYIa0YLGpvPaxomPz2TvrlUtniv9ehs6hdTSvR0DQqiiNq3f04nGKNvDTHzm3rxF/fvLPQFpEFN651iCvyeolvemzDwUlxxcCtgzcLso3VCLtIjaEFr3mWrcQZdOTSA1LbSNrXnmkKbz26tm66NnSr0GqAuj4M6uq2W14W951DP5DMEAIKdLVpIBLPtuj7LfrO8wHYsa5bQHfEby/SVCV33y6GD7NWQP+Og+z8cW+H1trGrySD54JpPWvC866wVXf5+9W5QTa0YAZfXgACnTeDrUGKHQupa/KnE8HPLN2RYBB0riDXfmTZt7sVBGyjFHFTDxDwhCsVfgl2LSXUurWN3R0KsJz9r/B8NRfo4uhW/y/wdgKkMNCm1vSn4OnasCGnDO0FTn9Fn5tJpXFI/zJf6/PPPENgta62Qle8WR4RU9H+OWlrxzP42R2AW4f0KYnjJ/e6spe/+CR7tXfiHHzjwKVOE6W5cc2cazeNZTspCXtsAtT3t+uatZbrjDejuluuZSLa6/ugVbvGyPwr2R7SKtJOMZbEYoIIOmtGy6fXlTnyHXFWr3gSCmhOC6C91IT+MA0izYzjjR+h1tYNgM3y+3D+HIaPCjmE7cV368qOfjCjHVavtd5t1aIBNgGaGVBL+m/s2kzCpAb8fS1Krdga6UyrV2Grc2HjLABdP+lEJj2y2aPne1AyuybCV+LBF83qjLh/gMQ5CN9HJpNEkRAal8M8/YYyBkWSGX/1f9EV7RuPA87RcDJFbduzf7MsY5u+T4kJ2ajz/jPSGTBSr+5AT7pWJpX+vwwN35ICQL25e8mADXcTbccrci0bZes48agwV3dMEMib3AjpSzfyjYnCymCYdKhzKnTeW8jIHIN0tOImU7or60JPalYYy6NMb2YMGEjWRmrXZvG/qOJNPMKiWt6nvrO67Y3OfGwlrb4yS0Nk40qR0kw/F/5M0di0W8oO/+Fr8gGBWxvYH4N5vgfG8QE1xM6khbIt3vxyrq3R9RWjtHhari9IMuJ35prVp6Tas57VKXdpULVFyXO0pQJEQXLTAl0SAdninU2Db1xJnl0N0pwPibkhrWusb/hq+4aXm83mXC+nJZQBRCfPWxddYDyH66xXsg7Atc2EV8XZGiLKisSrmYxvQeHPYIdMJgUKqV+at2vFmQgElzbOnt2/eezlGm17N/17xcDR9JBajL/kiJ0g6oCqjRA3N2AXpJr5rSTmlnNop3qtrjqLkdnhwLRAbp+Wcwy1v5ElkQkdlpS+S2W81odaEpfHDS8IkMh/zViIzCby8mqDhNv2jKeVumXSJxQ3aPBfNgkb25VciH986r49IT9lzA7MVcJ2iakbMq2S+VG45fEp67wOFuZCs0aeKrFkQnkvguVXIHYT7hmM9+mvp1sbrDKcCK9QqHnq//CkSC0NTcU44NB2R6OLfXYuN3ZcMJLBUI8IMtlbkVOrqYJCWzjiKlCTWKxSu1vl9TX/neQuw7aM32jaQ9MnyU2PQPAlbvU10UvSY8eCg6TYk1RL9KWVRHwIWrxKyzuFRq7a1Px1dR9cVeb1CP9oS7T9r5x1KOfZksOcH4hE4uZcm5W2VuFCmU5N/qV+PUR/93lvrHpUSOKucOjUc6aA+DsYLWWoU/FbE5ompJ5z1qGZaceq5ewluZJp07NnayULlyfh7TcBOE6mwS3n1LFdhUPhqAv4mOfxPE/qO8DShOH9DyJK0Txl87qaJw1BCdsurGPl56R9fMiUBugPpLmOYnbIYr2KLSJipuUhVJVJoRu8ZMrI9+CXn3UvrK40KpAkw+DioWRUMNwwoWMalw4rQpuIVR5KrA+HFA2h7LB4S9gF+lEUXRckcI0vH078SxeZvIb9HWnDXY9eBGH6JtpkbAqOmSL9W/jQ1jneiVnb2RHTLvzD0QYutW0pgbuv1bf6CKbDVwLjaMyzg1Y2KRbibHpeBmE5tgNiZJU39mcQBcgg9BzwVDbbmWshx+yEMzRbkzn5D8eGdWLjlrYod5IPJYzFJ2Xib8b+wOeyb425/IALFllugssbIptmZxCIh1wRJlI5FTv7RqBGPzhE9v2sRjwZcTG45qqxipEpN2MyfDQQAySXB4Wn4Hv8khTJwKCWnFcQ10nqcbl9occ/JFGhmKXB/wcsuBZswYLXb4fXDw41drqFihJoJkOI2a1yQvC4bjZt+L6irbxXBtqzAtGDzXkFoP6SocqeU5QMSHr8V6CY9uTM1d3TGgS7pfMlD1m7FqmNUHbFA0tM+vue0EFtEwo=,iv:nIG2yH87Nni9T6pIULBT3UjE84fo7qcXKh1HMaNN8wM=,tag:cxicrx6v1c6ggtKG8wGzOw==,type:str]
|
||||
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:vkVGrB0KqjCGU9Mmqo4F9ClzVz48kRCJF/SWXUChnrH6iILBKKd8qpiCdh2r44Goufy5eau0fYh93DO9/81PkXzW6TpTKIhS6L0FxQ0V4Ur4QOkxTUAyuyepSrWCBfH4KCo0WmaGJUQPKT+rvyy4AysG0cEKIb9CZjYx0C21M97q3PGMOa643QrWa4VLJf9v1sOgv0pBUElfPWzUsKdslD9unJPtFtYjGJx7Nz5MPNuFfNqS3U4kaAgmDn5cYNfFYc0su8DVtQSED19KN3NNcMfW0ON5dWvkvqFRbd8UsL//bWQrCP8EsQAipr+I8CTEbOzMw0XmGAMglAB/fCf+wf+W2txXTHPLzlipweNKealy0lQsw7+RRcx4/ON8lcMm52zpf7H3VtEwn6RxCKOrmF6M9MnBxZEYYvramCxA7KJ1xrKxmwwPoikxRnRYJN52shXjt34+3ykaYapuFYV5tnMM17vhtpCSRaEWoKzTVGR7Pb1sEn0yBMuXADEhjVOFTHEPWpEUX28ukA26Zn4xVrMiL9gGK9z1Nemiw65oLY54xmdVelIM1djsKfqenODzCqmlbq950GZWUBT4LaQFtkMuRJK9Y2U+jI0JCA6SVlGSylKSWbaLlzKU97xf6HMKz8wvw+aPJX6PDasY9C6JDRy7O9VTZL5UKcbUAtw6q7sp8TVPbssMlct1oM4YP2RYNKo6mZE7NGfL+IIa6H+hk2o7ULW+H6B4oz0i1F2HFScLRYhxCgl5iQtxX4oWpqn1Yag/1WmsJUL8tM1wE7MfX7T4Aa3eQzWEfjJ+CgTj0glaWoKl04myFSA5/howv8jE0xYd+eCBvftiMCX81tqvBSxbE1qXZiOnqYB4vsJZbaJzXojTzV9rL72cYviCGSk4xklJoD+ycikyn/iNZ4hET3nzrDZolFA/2WCFbFtjpGPXndoiflSOOhvPb56w1bs9/af3p79GWrm0uOMkMo4IsQRuTgFhBETmA3VdVKCGMswmC5lHB9aZ6JYuQINxufKSo+hw5cnF3qstGG0b+AjCdmEK/xaN4tuOeuFPFj6y4EVB+9xPNCbyP3jk046DO2fUnr/sHcB3LYsGZuo2hw/qxua1/LXBJpY/Z86sp/EKHGBRIrBhq+zTXaiuEbUon7xpE0/rcrMZUuz8genyA9GGQsnmhV3ykVSb39rJc5SJ6m5AxaowobEuEYDUGSngSjTuBO/fQMjQAWVdpF6s0vhTodv0oiYR3fARj9xhNrTBcSF3fBHIFYlzqF6sq6Gvjusog1ihkIe05o5OzoHLvf8p7sWQ6MvOaiUnH7bPieUge8ERwmDihoaPgWVgNAEQAZ5FGB5VAQ847KR5oOs7YU0uhn+xXaRdrsxI1YzOJcfBx13+5B4Z+yu8SwBGnvkZPdrBqaizSyRPZuCw7RBPxSbjg4eJaVFdOn8OlzvYxEaTXYopIXo4Bjubaws8QITqAduFg7HS7TWGHDe3HwI6DnlMfcgYrZl1l/FHlSYjdbN8Fr9cHxYNJH5CbLeB2jB4Gw8HzsmSNLXT8fv/aR0RLfNvtScrMg==,iv:TxSEZLotrgoaGfdPndOkluXAazjc49+K+pJ7Vbv9wZw=,tag:1DFBDaEMsTFw+OR9lxu8Rw==,type:str]
|
||||
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:+ccVB/bzqdvL85ub+/Aj8Oo52D46Dbh8nFw6tzbvqa6jGz5Jve5wNNMEToBD77esdqNE77BaO8jOPiwLh15m6dpjIK8Cgq6N3PoQ8OADktYYSFa+GLmBbkXISIXyDZZmp4uUoVMOIv24uLtScWhugB0OksycmlVzj+620C937wd9RIC2bSUwUjRs6nodABt4flLKURkAyTLTt8KtFJzAmeLgLEoTCFpXrVlaxgOZjB6qNs3bJLyXCJyJj6PjQPCOGTE0PT1uNRCketTDyDWKQrIG3v5n1OLssnwfwHZk9Er9PdlexUuKmueWvjrv9ANfSc3rhv9gAHH107p+ji8jtblVF7CLGIXLjRjDpOdQbKply1sD/LQaoKFPZTSWXpXe77j/pjmlnJqZ6kt3N6DZEh2Xo2llR1KUXsU4bxpB8VoGHUPoWFceNgQLt2SO19NKEDg6qJgO+qzAMsUCNFogoXd8fo3jO2BWUraqDdyxK6f1Qr5eICBHKcqr82NOyllRedkLCwNeln2Gda5Z5BwhfcfEcbPQ0L7dmGq0ApuTRc0LX2CLnDqnsMn6Ax/CV1gbYS8XCLk8QA5htyRCAki0uj6G6+b1yDlZqnR6c7FW+FmmpNUBJK+my6Czp4wTW9aEFiZhcA+nAsGK6VGCV3nNvhhcOAGihTUdSBywSHW8fF40+uDrkYcB1f/MkC3VwwK2EWQbupYti6vrlWF8LKd9hapFWLJy/HL540UuWoUSSGLJOsfzCDXDOsDfKQkcx+Of5APQpkeJCirgj5UBYnAA7h3618hUrkTvSK5SflqYL7nSQ2iRdpiCdSm2FlgMiGUusoKYtDtQmfw/KZ1i12nBIW/4gul8SU6MlsHa9nC14NYqE7Gm+rzv/1z0kjLrE+SDEdAT5YNpoYpwjiljBbjhNuaxetHyJk2v53aQnwNTbiEy5XRJ7KvGPyFUJJkMYGa9l2HPPzhhiSMp69SX+hwooYtRLOkO2/76ltgyFPhY5BIShcSA2iKLgg3rVTO4w8JE9VU0F/sgGv76C6ihhRd9zWdQlbcaechcLG2cjdXaa8+/a3JJfTsV/18dzq+SkaPOebGpgjW8V7Fw4Clbxd/ZoADkq3sfV1WKpzvIFoRcXW1rXlFT8u8lyYfxyYTsosEy79pTYLKoiuwQ3xnMGTywP7QZ3aYD17RNCz/YnN1ARFQVldaqyA0C1GG1CSiSl2PKVFI0cd5lFPKIeXhvcct5bcJBEHw3ZBt3u7MzPDiren5ts86BgwMbjdcTcbsVSnE6S7+eYeg1oi/AzscDIi4U/lgNLtPOhHk53fOi6UvMYWieKjQL+JtvGIJ898ZqoAN7Q+/ZLoNepNVIYSqsfkkgS/fFtvvl6YEVJSXkVUxMQ2s4AP7MnW6Dko1L7tzaINl9omK01/Y0oIwdUskXqkTpcBVuvE0hd5qzcEL9UjN9YCyU0kYa+4sgYrvz36+/gohSp/ZMK0M1kJUn2dz5dw2oQNK54pym+8gBHwKfzydXMJmSh9pe7tyrOnoDBevetghd7fBcxHaC3SbfkRC9bDZkve04/dOIhI0y4ECs+fRgNXzVOMy4dfA4n+3Zs2vqPX7dBF0oGqPnvw4W26F5exy+Ks2Js7YjzBEHEyly96p/8ja9oBJahvaNGWGJ/uKj+S8Pr7RcuBSrzUKgCNCPay0pL1xttv8BHkJNiM6hbnH28/w06JnKp8NvBgTX5AgjbKdJUbbAh+ElEaYzi3zqri0EwyFb8/T+F1UWqp3lWgh0ztWL6hU8M3Do/HqsfZGgO1GME0goe+rUqYJtemKi4ObNPmVsnK7xfKMheVxhsdJN1rSbq4ZAiip8ZqvREgA5wMNgb5HmdJKFZOj3FpCrnOxn+/mxPXMaC5lpfdv/oazWvnEMxzpreY10UBSaCrGYWxeZHET+ryj2cOxc2mv+01tdRQXNHEBCQDprOcLpBxrWK28QdFfb2bGpHAZODeBn05CWGMAD/UjAD1FaWFg546NpOC7/2BuP9RzUSKmCGetbK+LEtjGT9G1ljr610uvmI1gfMAvclp2Jnddc590Xzt1+7VUUagBpUpuJyA4Hd3cejumfUz46T20ILs75nQewHC3lJ/K91ZgMzAmy5pi/iUvcX6yVn5T3FQviRLLQOlCGurBt4gGFd7Z6n7DdNQPf1Gw6PUnTWLZVR3jG0x7fCIlsU/A7RR8fc1XB2D6qnGXazMgQJkv/Z7sIkfyOrShuP9k/9iralWQbdup9Wdxxy7yAbrH4GvB7FEc=,iv:aWuvKqvB5IAqtX9eXv8x83edY1a35A52gfSi461dwTE=,tag:8skKS0UvaOZy7KP0ii8fkQ==,type:str]
|
||||
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:i/Eh7Tw2bRmt7RGdl3DgQtW/xWRH734NC34iuzllKcEiCjS8HhiRrMdozEsoo+jd4h395XNw4bUeBIWr66JY0A==,iv:nB3bKa3rm+gONINsKyRRSQkkJWO+JJlb4B9k9o2DpJw=,tag:MesJ3dZYi92Fi+Wwrs8gnQ==,type:str]
|
||||
CLIENT_DB_JSON: ENC[AES256_GCM,data:tEm3OufNzYelKJnZHD4uhnHPAQq3j8uWatdzFBnERYrKHejyQJGbrgzD4JMJAGQp6hNlSst/2uqhaICoXPLzSOkq0iF9V4P1/HRaA1qpbtSJe56wiMzdXb4tvcQ3aSeEmNQsHjnoTmdrNIgMi2/X0YVd3Zu2Ju5gGm8xIBnlBnUdBS1BqFBUoDIPoj/dku6KsdJSKRQw05PMzH4n0jCgqtPgMXPDUFHFwrXv0wsWvk4rpie2LQhIGMxHa161fybmPpXU5VMEiIho0tSXEO69JbmP7jfpOEwJqh3Ti5URTETXxxdzoDX/E3EY1RNtog9WkfsN2Bzxd9BzfylLnf5Qq9EYuABjpSzhNMeWZsMn0ohRTkPlhNo4WHuYVaR2DK7etm+YwLLJr4KQMlZMho6uKXK6UC2wKAVHgg3zULd31ZUIpfKChdfI,iv:+Pbk1dlO8mDWhdyj7bIZKmswtIA0+KsV+6kAAdSQebE=,tag:4jiRZr/HxWMXZ4a8WeIu2A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
|
||||
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
|
||||
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
|
||||
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
|
||||
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
|
||||
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
|
||||
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
|
||||
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
|
||||
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
|
||||
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
|
||||
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
|
||||
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
|
||||
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
|
||||
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
|
||||
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
|
||||
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
|
||||
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-16T14:23:25Z"
|
||||
mac: ENC[AES256_GCM,data:rii6asmLqUJnunn4eTj2ClS9yBjSeoUo1JrcrhQupb+nMIadWdgG0OF9uAkmJTfGSbrGJNhuxUKH6DEzG5DQ9fMv1xdewaxFcHn0xS8W1OypgYOxGpXtChcPfKX2Px8bfijFi59ETnvfIl2mbCqVKeH3ZUOk/yN7FbCVLVwzCy8=,iv:AcyRzDVoCUdUv9q8FqL4AOffWCxEfKXr14goyxI6sKw=,tag:ZOm97QO/rexjoJJWW2G/Eg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
@@ -0,0 +1 @@
|
||||
../../../../secrets/numerique-gouv/oidc2fer/env/outscale-production/secrets.enc.yaml
|
||||
@@ -1,7 +1,7 @@
|
||||
image:
|
||||
repository: lasuite/oidc2fer
|
||||
pullPolicy: Always
|
||||
tag: "v1.0.1"
|
||||
tag: "v1.0.6"
|
||||
|
||||
satosa:
|
||||
replicas: 2
|
||||
@@ -9,10 +9,12 @@ satosa:
|
||||
BASE_URL: https://renater.agentconnect.gouv.fr
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
|
||||
LOG_LEVEL: info
|
||||
LOG_LEVEL: INFO
|
||||
LOG_LEVELS: '{ "satosa.backends.saml2": "DEBUG" }'
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/renater
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/agentconnect/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml
|
||||
SAML2_ENTITY_ID: https://renater.agentconnect.gouv.fr/Saml2/proxy_saml2_backend.xml
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:uVs1uGoFfESz0eAkxvPUkSXQw6cCvzi+YfH7pbXLxAXxYhmiKf25JarZX2ur8au3pdOd/rz0mZGpC2mfN8Fh+3+a0hseuvhqTetiFlc7Gc84HTXnyUQFzZa4Rgk6LeKGB8TDLG+s0F46u75KrRdHrwSbthBQhtiZCmoc+JcqSKJfl9Kv9OVMXEPHUy3zYvIy32Gk/+BEt+J9eo3RT1ZmmyRZToWWgXe906n2Bhvm8q05OgHkbCqu29TGKBviwikWTa36aUWNVdWh6XW7CtOPjWDvjYbVgb3O/Vwmw3mPRGviuAK1WS+kzMyP5oYQsWC5F97R0XlhnKElxpIRycCz3m/YLShuM1xtStiiR4mym6mNi99YonQ6hbodHSij9R/udXyMLeC5QZM15XzWHGFA+NemqVMGZ2C/xIhHCNUscKvHzOiQ2RiTk9VxNZfSdkzEXe2gMbl/+o3hSj8usFJOZWgToiYN+oBXgP1KqRlwdPSysCB3hs6mysn/1WlILWXN+EOYJP1jLsv1T4dC3ajujmnmhCn3/EYVI4TKEM6nJNs2KxNqlsC2D4G2n8NDciZVUt5a82tXWW6/ROA5UZDFOILkCHvfk6nkTRZjcXWmtPmCgwy54TysJ1wLsIycAsd8MuBTD3d9SpYFHKNC74O30bJe8GqtKObvHg8Ycp36+oH3gs41Mv5H32DumkUF6FcMJtbOEOYoEiHtuMSVXzuIdr6ikYQsRBU4v0UUpJTdMl2W+tYB8NeWBdI4jYaR+xwLw4+gs/deXhE7USTlPZJDB6a4DValxm+p7dLmUr5McgdhyEAACmxzhiSl33ccV2dIQCMsk4RoBXCZGX10ElY9bMk0vLaB5/n6qQgP51onxOUeJ6poKj4wneIZ7WmvbBfAVFUHoCPMQemjEEk6jVza4la4yQUW9rCgo/Tpfb7e05A+ux0CvNKvhcJLfyxN+LwDOw5X4p80gdVO8aWKyE+Ue6GPQBMZ8Ma31jlX//4KeIVcjpZAdutp38vJ936Ezrowu0HbviC1f0pJWXBVw0G8DGtpgorYhkN3Biwzu30jMEcWJXFSPqBGH0U2I5D4IXsDX1rH3DAR5UOKMVbWJ72zUq99Uip0FiaY1IVZLvfkfbPHwVq3jmuiZ/nXn1HenmNlkYOmOtL5BnZ47gHgXiMgFx6YGMBY50pZvk8ISKcacP52N9ph3EkovJR3Uam4XrtbMV0v9AGHX9aXYF1uB37q+ifZ4KB0b91dbXIUxXMb7FrbZ/iDX56+yTzdxdnXHWsmcBtPNFHxo+QjZvk4+UWlvoahwLJMGlxtgk71TPF65ms8y4L5Qq1vL2BgGiKWARWmq7KnrmrXQQWRZAXQd0lfqhVo7GDhppJUKBgYSQ4rC0q6u2mEm9YJc/3vsudKkwTyoYfBOmmz2+xI8fdaFuzg9UWswG3n61HMFYVf8+WAmoS7Bo21ns+KiIOroGruYdExr5rJOPcsLiPEr/Qmk0M=,iv:VI5LR7U20u6jG2voQgbnKcXclbWnROASzoYYz9N8Qlc=,tag:r1hGWOZRaiBblWvntcdYzg==,type:str]
|
||||
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:svNEf0i2AB0fQlJlwJ4tkST7R0GGArPGw7iVGA4pRYedphZrRkeTVUoI3e/Ku5fTv2IXBK4NU5NB9OvFL8VaX1hN3xxWcW6htcOzSGPklee/U4j9fSnUvZzCHtCz1sYgCoQCPcQObfLA2S2H+CMekJpy53djxfjbZdo6+A+T1Lcqk/aJkl8IO0+LgfK2vlp7X5hR4BLS+fdVOrogqzlIrr7iumvSBTS8RY0dp87iLGcWmKCYLrvSieyneiC1VgYughl6LxcPLBTPSJFZBt0NLR3oUMcumBaRpvrlLxPihJbqyC4Jn+We0IKBMYmLCEBBLjx+J4EFLHaG6p3+SyUmLYNJMeOvvexR/qTaiuwUp/3gsD8PrwxFVn7Z3jeL5gX0ohCQyETNuLpAw47yNAlHZaZ11FcFpRUINZrPBG/myJk4i40UQ+AmWBPgS/SxmQj91hoUPw23VDTGWLKv/B5Xd48A3hEOKeA7PmGOfCfd7d9eOJP42dcqWyUypogELAJgF+Leci4q6T99fnIGlBahJK8yDltc4NU4kEAsACdIBZBK+Ezyu+n1hOtg9BEDOUeilSy1TAgfi/B9CQrFLU9cSo1qFPHxIkaRPV3IVuGfEaxNpVrv68RaicYCfeUWIcQ3h13ftPIQlZ6rNukC1pDugV4GrPTtapokV/Z8/8QU0BcRAmfDIniBlk+uP2ga8YDJ4c1FDl6KYQt2zyzFQACOoVPOm/VvffGzOl042iO0ibHAklZerFgbjsiUCpBcRi4dOFqMt6OkvdTldFYGOm+FADtVdJaRoUk8uXe13GCUASjJUCrMOmimEb6gKNYbm2u27kWBIlPMNmLlelVkEpmPCmAl2yLXiJhdxBu0YgHyqwqizKOumckoYditFDXkK52ZtANqwLaHNtGV+aB5dvxRlN5NhsUYr9zLmgv4bUkYL2lI5p5IFN0Lha0fDG105FbIoqmuKXxWJ7IL7MisQLW5DGzN29gWH/uh3A00b3jiEn/0HvEh+P/38t20/IP/l65Z7OZAf2VA1jpCv04lKPXYmvMbcXIROhWcA1yqJvdgiNIh8eWWt/1mFzjRHQ1vfiW5XEn1Yoln6Q++Q5RgnlraizuZWDGeKvP/b5+B15lgdx7keG5rmSpn8ogJD7Cey6epsVY84Qbqpvcp5i5EcL/cMs9NkN2Yf6EGKhczILOAwH2YypWnttIz8OrftjqPzbAP/XOXLFxNbFBlyzLlYwTcjNUIZtg9OwK3k0zDKeHT+q6xSMFdyf3Xpdoh+NJD1QYzoSzosWj/Yzxg9bZVVpKOb89fkGRpNtCuHEkprr0LJUCaPSArANE+MH7E6uisBVvIQwF9MzTf6apHoyUIi0Oq0dRpryvD/OBf0V0Zn75uitpoSqEZf+i8+L3s7dsFp1lEwywUZuZPxmk8kOIyPGNG6KmuFOr0j/6jPO4/05dIvYb/f/sSCjQo3E99whPx5Of9tmlU4eCM4Fwzpgu/w4uKy4f27W4LYosfpENHGRbaWI2XFmmNL1J6Lm6h1yZ+3ck0391zBZA0pp0tNIR5AEc5UBn8GQHrmk9NW2QLMqQLPmhgAD6unHeJY9iYMoCAMqc14c6gjF7gjBCrZd58qBTcNHw3p0GJXACgCm/OGqhRYFuWF0kJUugnTK9n1wfy3/HNE/adBnOqJWEkoP4n/VVL+eucECBtOX0jPFHmPsMYMSdwupCB32G7I36dQPYQsjbD+Sg9StAQxbXUIALRQ1cMaeHpUNSc48sE8ElrjZStNf46oWs+rDjhleWdOlpfsOJ+qwJrLLXFqBMeFtgXpzL4NnRoEGjFFK5l7EtfGDK0/ytPPmOwarjEDftaLmDTfBniZrt/WuuChe7MHbKRcGFkBYA2nbbBfMcpnsGBXpEMQl8LYZR9Sg8hMT0rFYtXj+h0ceCIfsa1HdV43NR/oos7Nf32rjLAu/jVUMNwWOKew5+Du61gmhBVpVNtvTe8+31dYMoQGQrIbxnHQmT1fu8LB0Am45+Zghk8sc0d+81xEzYxvYXMR/QMbwJnWGGI4e7XSUMA5k9xKXXNDeYNCP/e9BGhl9sS0XYX0HSrjX6rsVI5K1QRjT+CBiIqlS7q6bofZ8tsiYhRSh7pgYgvodsPKezrZCTTY4/Xyg9iLMtqtpqMnfqmbaYvwJ6r5LbWeR89tkjmlHcWcue/85Y2D/1COiGFRODIityykTTjacGj/MlYXPE3O20Lr1P1YP2lm22i9kM5jKuCiGbyMn8ZuFVQ30Hnwv2qH4k=,iv:itJR8JpZRrwhbQY/kTEURY28vyu1qex7GsRme9icZYw=,tag:JgkJOE+bdK19KjvdH/k1Ug==,type:str]
|
||||
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:8I/blGdvSDc+Hy96s4OsULJTo9+qyF+8Z4mxA/S11kLQjhue9sRTp/2Q0Db/gw0fMibb8gwrRi4oH4BsHfXaNxtyPCxrgwmeCpaq0rvgrOn+czEDQGErf7QxHnzvsOMBqMygRWKk3aKLjZTNvfMeaQL9KSrtEgePrfUvykSIPwN4HwtNH9Tymq6xopAhgk9jWq5kzomCu6u4OCxz9Fp1GgTdj/gLplMWYeTyWZQFRPimZoBfoxhbih9qofw4uqmN8+iT/Fj9EOAUMsdYeI9i2GKoT/YRso8yipi8760teUwqoDntTVv2ExR4zDvhI5Z9jISyX3qAXls/bwmwAWSb+JIxPAwgbsMDwmPTHItG3Xr2NPkiBVWujMhg7duq+labguwUZelpqQnvnKbxWHm1+NGRS+VYpPQRvzRREh02ybDt7/yjQMSAhWOkDXzZf6WNQfEf5jguz3B6CA6PGAwz9gZX7JivP1O5ontaeULbF373VsOQPmn57qZirk39Ntg7S9tkt2voxilSBMkhDsSXC3Qa9veGnd+t+Jg/YCEamoJEJ85EBfPzgvr2s6Av9D8B2h/gruXCQVCm/Zr9BX8Lus8JmSohTeZUFVteabmxr4W0gwPJgb5Ki0HciKxGsE7ITA5SFFN4LdxsBHlvJ0aJ1pipYfkkpI3YdC45CI22b2gDNIqVamK8hpYn8bTP3jLWsO36M/wnDB6oKsFiTTb4HxNuWVzIshQG8Ua0xwuhizuvZRDuRPUe+gfaiy0Dqzo/RLX1C92TJ7tYzlpM5/u0n7YkY5+/IB2ljnmAC5Kj5z+kNxhTflX/8Z62WTPBZlzE+kJb9hgMQQ8t7jDk6RnpmrUhOKx7rzrFzI/qmXC9+8yHEhiCBI5Wn3R89uCwV0O6WAhIuG9zQiaSiCwDaS3DHCy4PgcUBdbh5tddJ6aazmM9xBZFcevy06gWKmdjbkg3sacjCpTTdnIT4hwxdISTRWtuyYj+pp1d/rs5426yadftPI21OQ1F062nSTKtyViP8PFxzppbCzpSUK5oDdL7wCX2+y8071GJqNipLw+hUS/1z9x7GvEs0Fy5ZOefoHShO/vS6CfXUYoPNpq9ZiAoXvLCRSfY8HEqfOF45hFJLJsVhaKXOe1t4mfHJxrl88NKZXRC3nvSdoqwP9MTdNuvTf86Gn4n+zd3qT07ARqjq4hlV3L69xBxAK/QFrxHagSWOE4Z/tHvYYEiohbn/F6J4k30uv5KnR5P2OpXGRiS5eNXzXdfW+DptBHttmJKtzxD4JJbWRP6kFaUZiCLQLyhZTWoPHmFSTphkxZ2MkqCx13eFTHA927/zehAYCU/miJ1JLATMYaD3mHWifEKRipfG406cF1Y11w27Of3fmhAhqO/7LeZX1a39NXKHW6sIk1Rz0mEaFT8tpBUUxdR1FVaj//MUc7QsvzaxT1O8JletttC8wlWx1mePS1IU49O0DyYcZn4BW8vVJFDz24N7ARb+WcajmsopZScgNwO6XqvDaH/j8mH/0eWCFzIMfW0+pUoCrrmAtoHQ/Z2Dx1j1Yhddxkae1dwoyWGFDqLJyjJ9Hq7Xpx9jQOGGP0mQ2TOw1zwNCzfnWV3MTXmLLwSMc4/ZpOxSqsmI9RlMPE8LeU+ee/jhINYntD/q0zykcoSLj07SfwnYBZPfZcnxNyc94fyrX6GYGfXIAmPR2/pryRtPyXLR3WK9SbL/8rGN50mO42QlvXK0azWRe6gMT4yHZP6V6d5Vqrte1tfhUf/DYuUC0on6qHW5TDrWw7QBdiUQeip4YhW42vgU2WjjNiPZF332uExy0pypO6cZTnsR/jCUZxFMd/IVKWyhAeJt/Wx1Jli1c1SNTigH7LCrSLyrsA2tmufRAcGXRzG2C0mjwofWb7zR1IGCZ0yoVPSt7HNpOY5WoBLpsbhXBodyYTmrSprxXu4cg/n/G8jbAo/xW0AriJolA5k6F9/DWD/tDnIawhwW4AqqeWDk1MmNoGOf/OMplDdwrpkmclVidIcNnaCML8iuKiPx4g+8mdOdkc/mqIP8zaSInRV1/IrIGGSGRwSfQ4wyRFGqC8fYckympShVAGbetOLXn5dd7S3MGlh6n/rgUecqYySs9ckN2Ti0F1g/2CMI5g1Tn4fF2dwOk/iKFLvsSt5Y/vLMTfjK7W+FSg8ImtLs/Jfbn0rrlMVjoBXB2e/yajmu7r+xneP0OeRja+oA1gGExodDmUa4zV6QEU8IFSMLdnqMtShDdRs/XT1YAHbrlS4swg=,iv:EJEMIEsraig+i+5PlieAwHS6XV5bP+wlxv6Wni/9Dws=,tag:DM1XLnEtTp0vFEjAD4u4ag==,type:str]
|
||||
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:U0BoVcDN6/sNDST8epqmOzs5oWok6lRZ+hLo7O6/Mkz0cqB4rcHe/OOC9HTe39K5WUCD25Rfrb4lSeK0Finl9A==,iv:NM9Wjlx/llNc7Ws8DaNYy9dVq/oFEdlK5a/Alr5ZxVA=,tag:VT8GhiFxeI8AjdcKdRkEcQ==,type:str]
|
||||
CLIENT_DB_JSON: ENC[AES256_GCM,data:C1UpicWcfmngdnBqGBMujt8aUZ+WpmvGs652NgR3gvN+aeQ1mMFWAjjCza5q9jN2sIhMbmu/NPrcTvLx4UNE0MOIclrWWbPdxk2UyylU+7TEas6V7OrpJa1e5D8msSSAnPLI7YSrRILSrw6pktnM/07d7S8Q1fkLGxJYkRboTGbTSRGRSSMDFdyrdrGiTDnc3H0y7FQerzQ8caRgRvb1JW8OPpJ+Kpk3jfTyFCNwiyJnISb48QCQPQX2jg9GpXl6OaPg2bw5OnnM1hi/qL+43nR/wV1WnvH/Z+Quvwgj7RorpS1TWVeLIC6zo8o49XFg6aHoiKigma3U/8ZeccsxpYHdsqObQ/mrSyYS87YNHXbl5miwjevaBGIj4Vteg16Vgs6R4jd8qgan+zCCfu5OwGmmCFG4M6EnuWhvQ5YpDGjclBc+q5exSnrb2hVOsEpYB2iRpcd5KNexrhCBJQZVMWRtAhnGIsupImctHaFVcZsvDBUQ3tQ+glt8s59VNZlnXPGE7hnB4L60PxMUJVhL6p8pbQtNvm6fCUBORoU+FCXnfGoK70Cxc/O6THvIcMH8L12rM0XEe/QyJIqRrBUtQcXgTZo3cB+tLVKW/MwKMyCk4s41McyEjL420pFh8cJ19iHWw5vZ4pZ4lkdtyaf3OI5eIVrnKj6uU96/daJSTOJCUgdyj/Vve//4m+UN7qkbnbahPRt5MZIY6P6P/Qs0JeV1tUnhe4vU,iv:WWpqoOZaXwIt1uziAdxgYDNSqR0XG0n/QexgIRItbm0=,tag:gzhESbDbnySTMMoJQiQl/g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
|
||||
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
|
||||
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
|
||||
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
|
||||
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
|
||||
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
|
||||
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
|
||||
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
|
||||
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
|
||||
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
|
||||
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
|
||||
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
|
||||
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
|
||||
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
|
||||
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
|
||||
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
|
||||
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-22T15:46:36Z"
|
||||
mac: ENC[AES256_GCM,data:Nc8rhWtwyXedqESemEusiy2yeqtDbjlep0PAbQ7UW2+jdZZE/uOW1I7LvqTNOKwPwMwFgT0+PyuxOzcSrYtH24A/QSEA2P5kH9S7VXaAZmrWYANTI1pMzqaMGYdP2KQlgK3SqBPmJlG8OHYAHpYpFMIUduWiYCdgEZCfzGbzsfg=,iv:2so40E91bgVh2AL5D6Ju1CXP1Bd31kN95/86/Oinkg0=,tag:rHy//0ddChLA/dIN4P0EhA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
+1
@@ -0,0 +1 @@
|
||||
../../../../secrets/numerique-gouv/oidc2fer/env/staging/secrets.enc.yaml
|
||||
@@ -9,10 +9,12 @@ satosa:
|
||||
BASE_URL: https://oidc2fer-staging.beta.numerique.gouv.fr
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
|
||||
LOG_LEVEL: debug
|
||||
LOG_LEVEL: DEBUG
|
||||
LOG_LEVELS: '{ "satosa.backends.saml2": "DEBUG" }'
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_ENTITY_ID: https://oidc2fer-staging.beta.numerique.gouv.fr/Saml2/proxy_saml2_backend.xml-test
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
@@ -27,5 +29,5 @@ ingress:
|
||||
host: oidc2fer-staging.beta.numerique.gouv.fr
|
||||
className: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{{- if .Values.ingress.enabled -}}
|
||||
{{- $fullName := include "oidc2fer.fullname" . -}}
|
||||
{{- $port := .Values.satosa.service.port -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
@@ -33,13 +34,15 @@ spec:
|
||||
- host: {{ .Values.ingress.host | quote }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
{{- range .Values.ingress.paths }}
|
||||
- path: {{ .path | quote }}
|
||||
pathType: {{ .pathType }}
|
||||
backend:
|
||||
service:
|
||||
name: {{ include "oidc2fer.satosa.fullname" . }}
|
||||
name: {{ $fullName }}-satosa
|
||||
port:
|
||||
number: {{ .Values.satosa.service.port }}
|
||||
number: {{ $port }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingress.customBackends }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -82,3 +82,16 @@ spec:
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ if .Values.satosa.pdb.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
spec:
|
||||
maxUnavailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "oidc2fer.common.selectorLabels" (list . $component) | nindent 6 }}
|
||||
{{ end }}
|
||||
|
||||
@@ -33,7 +33,9 @@ ingress:
|
||||
enabled: false
|
||||
className: null
|
||||
host: oidc2fer.example.com
|
||||
path: /
|
||||
paths:
|
||||
- path: '/$|^/\.well-known/openid-configuration$|^/images/|^/Saml2/|^/OIDC/|^/ping$'
|
||||
pathType: ImplementationSpecific # enables regex matching
|
||||
## @param ingress.hosts Additional host to configure for the Ingress
|
||||
hosts: []
|
||||
# - chart-example.local
|
||||
@@ -48,10 +50,17 @@ ingress:
|
||||
## @param ingress.customBackends Add custom backends to ingress
|
||||
customBackends: []
|
||||
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/use-regex: "true"
|
||||
|
||||
## @section satosa
|
||||
|
||||
satosa:
|
||||
|
||||
## @param satosa.pdb.enabled Enable pdb on backend
|
||||
pdb:
|
||||
enabled: true
|
||||
|
||||
## @param satosa.command Override the satosa container command
|
||||
command: []
|
||||
|
||||
|
||||
@@ -67,7 +67,8 @@ disable=bad-inline-option,
|
||||
useless-suppression,
|
||||
missing-module-docstring,
|
||||
missing-class-docstring,
|
||||
missing-function-docstring
|
||||
missing-function-docstring,
|
||||
wrong-import-order
|
||||
|
||||
# Enable the message, report, category or checker with the given id(s). You can
|
||||
# either give multiple identifier separated by comma (,) or put this option
|
||||
|
||||
@@ -22,9 +22,12 @@ attributes:
|
||||
acr:
|
||||
openid:
|
||||
- acr
|
||||
eppn:
|
||||
eduPersonPrincipalName:
|
||||
saml:
|
||||
- eduPersonPrincipalName
|
||||
eduPersonAffiliation:
|
||||
saml:
|
||||
- eduPersonAffiliation
|
||||
uid:
|
||||
openid:
|
||||
- uid
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
import os
|
||||
|
||||
from satosa.wsgi import app as satosa_app
|
||||
from whitenoise import WhiteNoise
|
||||
|
||||
# Wrap the SATOSA WSGI app in WhiteNoise to serve static files
|
||||
app = WhiteNoise(
|
||||
satosa_app, root=os.path.join(os.curdir, "static"), index_file="index.html"
|
||||
)
|
||||
@@ -3,11 +3,11 @@ name: Saml2
|
||||
config:
|
||||
disco_srv: !ENV SAML2_DISCOVERY_URL
|
||||
entityid_endpoint: true
|
||||
mirror_force_authn: 'no'
|
||||
memorize_idp: 'no'
|
||||
use_memorized_idp_when_force_authn: 'no'
|
||||
send_requester_id: 'no'
|
||||
enable_metadata_reload: 'no'
|
||||
mirror_force_authn: false
|
||||
memorize_idp: false
|
||||
use_memorized_idp_when_force_authn: false
|
||||
send_requester_id: false
|
||||
enable_metadata_reload: false
|
||||
acs_selection_strategy: prefer_matching_host
|
||||
sp_config:
|
||||
name: Passerelle OIDC vers FER
|
||||
@@ -23,7 +23,7 @@ config:
|
||||
# - url: https://mdq.federation.renater.fr
|
||||
remote:
|
||||
- url: !ENV SAML2_METADATA_URL
|
||||
entityid: <base_url>/<name>/proxy_saml2_backend.xml
|
||||
entityid: !ENV SAML2_ENTITY_ID
|
||||
accepted_time_diff: 60
|
||||
allow_unknown_attributes: true
|
||||
service:
|
||||
@@ -38,6 +38,7 @@ config:
|
||||
height: '200'
|
||||
authn_requests_signed: true
|
||||
want_response_signed: true
|
||||
signing_algorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
|
||||
allow_unsolicited: true
|
||||
name_id_format:
|
||||
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
|
||||
name: AttributeAuthorization
|
||||
config:
|
||||
force_attributes_presence_on_allow: true
|
||||
attribute_allow:
|
||||
default: # any requester (SP/RP)
|
||||
default: # any issuer (IdP/OP)
|
||||
eduPersonPrincipalName:
|
||||
# The eduPersonPrincipalName value may have been filtered by the
|
||||
# AttributeFilter processor, if it did not match an expected scope
|
||||
# for the IdP.
|
||||
# We require it to be non-empty here, to avoid an unhandled error
|
||||
# later in the PrimaryIdentifier processor.
|
||||
- ".+"
|
||||
eduPersonAffiliation:
|
||||
- "^faculty$"
|
||||
- "^staff$"
|
||||
- "^employee$"
|
||||
- "^researcher$"
|
||||
- "^teacher$"
|
||||
@@ -0,0 +1,12 @@
|
||||
module: satosa.micro_services.attribute_modifications.FilterAttributeValues
|
||||
name: AttributeFilter
|
||||
config:
|
||||
attribute_filters:
|
||||
# default rules for any IdentityProvider
|
||||
"":
|
||||
# default rules for any requester
|
||||
"":
|
||||
eduPersonPrincipalName:
|
||||
# enforce correct scope (the part after '@' must match one
|
||||
# of the scopes declared in the metadata)
|
||||
shibmdscope_match_scope:
|
||||
@@ -7,7 +7,7 @@ config:
|
||||
# names are the internal SATOSA names for the attributes as
|
||||
# defined in internal_attributes.yaml.
|
||||
ordered_identifier_candidates:
|
||||
- attribute_names: [eppn]
|
||||
- attribute_names: [eduPersonPrincipalName]
|
||||
|
||||
# The internal SATOSA attribute into which to place the primary
|
||||
# identifier value once found from the above configured ordered
|
||||
|
||||
@@ -12,6 +12,8 @@ FRONTEND_MODULES:
|
||||
- plugins/frontends/openid_connect_frontend.yaml
|
||||
- plugins/frontends/ping_frontend.yaml
|
||||
MICRO_SERVICES:
|
||||
- plugins/microservices/filter_attributes.yaml
|
||||
- plugins/microservices/attribute_authorization.yaml
|
||||
- plugins/microservices/primary_identifier.yaml
|
||||
- plugins/microservices/static_attributes.yaml
|
||||
- plugins/microservices/attribute_processor.yaml
|
||||
|
||||
@@ -23,10 +23,11 @@ license = { file = "LICENSE" }
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.11"
|
||||
dependencies = [
|
||||
"SATOSA==8.4.0",
|
||||
"SATOSA==8.5.1",
|
||||
"gunicorn==22.0.0",
|
||||
"redis==5.0.4",
|
||||
"JSON-log-formatter==1.0",
|
||||
"WhiteNoise==6.7.0",
|
||||
]
|
||||
|
||||
[project.urls]
|
||||
|
||||
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 13 KiB |
@@ -0,0 +1,9 @@
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="refresh" content="1; url=https://agentconnect.gouv.fr/">
|
||||
</head>
|
||||
<body>
|
||||
<h1>Passerelle ProConnect vers RENATER. Redirection en cours…</h1>
|
||||
</body>
|
||||
</html>
|
||||
@@ -2,7 +2,7 @@ import json
|
||||
import os
|
||||
|
||||
import pytest
|
||||
from playwright.sync_api import Browser, BrowserContext, Page, expect
|
||||
from playwright.sync_api import Browser, Page, expect
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
@@ -10,10 +10,12 @@ def browser_context_args():
|
||||
return {"locale": "fr-FR"}
|
||||
|
||||
|
||||
def renater_test_idp(page):
|
||||
page.get_by_label("Nom d'utilisateur").fill("etudiant1")
|
||||
page.get_by_label("Mot de passe").fill("etudiant1")
|
||||
def renater_test_idp(page, login):
|
||||
page.get_by_label("Nom d'utilisateur").fill(login)
|
||||
page.get_by_label("Mot de passe").fill(login)
|
||||
page.get_by_label("Afficher les informations qui vont être transférées").check()
|
||||
page.get_by_role("button", name="Connexion").click()
|
||||
page.get_by_role("button", name="Accepter").click()
|
||||
|
||||
|
||||
def renater_wayf(page):
|
||||
@@ -22,24 +24,30 @@ def renater_wayf(page):
|
||||
page.get_by_role("button", name="Sélection").click()
|
||||
|
||||
|
||||
def oidc_to_renater(context: BrowserContext):
|
||||
with context.new_page() as page:
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page)
|
||||
def oidc_to_renater(
|
||||
page: Page,
|
||||
login="enseignant1",
|
||||
expected_email="georges.grospieds@formation.renater.fr",
|
||||
expected_given_name="Georges",
|
||||
expected_usual_name="Grospieds",
|
||||
):
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login=login)
|
||||
|
||||
expect(page.locator("pre")).to_contain_text('"usual_name":"Dupont"')
|
||||
text = page.inner_text("pre")
|
||||
result = json.loads(text)
|
||||
expect(page.locator("pre")).to_contain_text('"usual_name":')
|
||||
text = page.inner_text("pre")
|
||||
result = json.loads(text)
|
||||
|
||||
id_token = result["access_token_response"]["id_token"]
|
||||
assert {"acr": "eidas1"}.items() <= id_token.items()
|
||||
userinfo = result["userinfo"]
|
||||
assert {
|
||||
"email": "jean.dupont@formation.renater.fr",
|
||||
"given_name": "Jean",
|
||||
"uid": "etudiant1@test-renater.fr",
|
||||
"usual_name": "Dupont",
|
||||
"sub": f"{login}@test-renater.fr",
|
||||
"uid": f"{login}@test-renater.fr",
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
}.items() <= userinfo.items()
|
||||
return id_token
|
||||
|
||||
@@ -47,43 +55,82 @@ def oidc_to_renater(context: BrowserContext):
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_oidc_to_renater(browser: Browser):
|
||||
id_token1 = oidc_to_renater(browser.new_context())
|
||||
id_token2 = oidc_to_renater(browser.new_context())
|
||||
def test_oidc_to_renater_keeps_sub(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
id_token1 = oidc_to_renater(page)
|
||||
with browser.new_context().new_page() as page:
|
||||
id_token2 = oidc_to_renater(page)
|
||||
|
||||
assert id_token1["sub"] == id_token2["sub"]
|
||||
|
||||
|
||||
def agent_connect_login(page: Page):
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_oidc_to_renater_student_not_allowed(page: Page):
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login="etudiant1")
|
||||
|
||||
expect(page.locator("pre")).to_contain_text('"error":"access_denied"')
|
||||
|
||||
|
||||
def pro_connect_login(page: Page, email):
|
||||
page.goto("https://fsa1v2.integ01.dev-agentconnect.fr/")
|
||||
page.get_by_label("Connexion à AgentConnect").click()
|
||||
page.get_by_label("Email professionnel").fill("jean.dupont@formation.renater.fr")
|
||||
page.get_by_role("button", name="S’identifier avec ProConnect").click()
|
||||
page.get_by_label("Email professionnel").fill(email)
|
||||
page.get_by_test_id("interaction-connection-button").click()
|
||||
|
||||
|
||||
def agent_connect_to_renater(context: BrowserContext):
|
||||
with context.new_page() as page:
|
||||
agent_connect_login(page)
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page)
|
||||
def pro_connect_to_renater(
|
||||
page: Page,
|
||||
login="enseignant1",
|
||||
expected_email="georges.grospieds@formation.renater.fr",
|
||||
expected_given_name="Georges",
|
||||
expected_usual_name="Grospieds",
|
||||
):
|
||||
pro_connect_login(page, email=expected_email)
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login=login)
|
||||
|
||||
expect(page.locator("body")).to_contain_text("jean.dupont@formation.renater.fr")
|
||||
text = page.inner_text("#json")
|
||||
result = json.loads(text)
|
||||
assert {
|
||||
"email": "jean.dupont@formation.renater.fr",
|
||||
"given_name": "Jean",
|
||||
"uid": "etudiant1@test-renater.fr",
|
||||
"usual_name": "Dupont",
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
expect(page.locator("body")).to_contain_text(expected_email)
|
||||
text = page.inner_text("#userinfo")
|
||||
result = json.loads(text)
|
||||
assert {
|
||||
"uid": f"{login}@test-renater.fr",
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
|
||||
"TEST_E2E_PC" not in os.environ, reason="Depends on staging deployment"
|
||||
)
|
||||
def test_agent_connect_to_renater(browser: Browser):
|
||||
result1 = agent_connect_to_renater(browser.new_context())
|
||||
result2 = agent_connect_to_renater(browser.new_context())
|
||||
def test_pro_connect_to_renater_keeps_sub(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
result1 = pro_connect_to_renater(page)
|
||||
with browser.new_context().new_page() as page:
|
||||
result2 = pro_connect_to_renater(page)
|
||||
|
||||
assert result1["sub"] == result2["sub"]
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_PC" not in os.environ, reason="Depends on staging deployment"
|
||||
)
|
||||
def test_pro_connect_to_renater_student_not_allowed(page: Page):
|
||||
pro_connect_login(page, email="jean.dupont@formation.renater.fr")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login="etudiant1")
|
||||
|
||||
expect(page.locator("body")).to_contain_text("Une erreur technique est survenue.")
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_serve_static_assets(page: Page):
|
||||
page.goto("https://satosa.traefik.me/images/logo.svg")
|
||||
expect(page.locator("svg")).to_be_visible()
|
||||
|
||||
Reference in New Issue
Block a user