Compare commits
110 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| cfec0eead1 | |||
| 5932135ec5 | |||
| 0a43908ac3 | |||
| 435e2e20a9 | |||
| 5dcfcf213d | |||
| 00b048d94d | |||
| bda7a44bc8 | |||
| 9db60451aa | |||
| 018b9e8726 | |||
| ea4199de91 | |||
| 4d1a9c56d2 | |||
| 14f9d42889 | |||
| 3a0a0564d7 | |||
| 9a82204f69 | |||
| fd4a2b665f | |||
| 645bbaca74 | |||
| 1ef50896ec | |||
| f8661c76d5 | |||
| ecfa38f11e | |||
| 159d992783 | |||
| 2efaaa8281 | |||
| f0b1c4cbc3 | |||
| 2e9dd01907 | |||
| 5f7b7ab8a8 | |||
| 9994eb84b0 | |||
| f9efafd574 | |||
| 208c4467df | |||
| 0e82e8b771 | |||
| 798afdf2a9 | |||
| 7cf9fda7d8 | |||
| 1816d2a8de | |||
| c89b9b7ada | |||
| c0d252f390 | |||
| fa39964a64 | |||
| 44b9879a3b | |||
| 7c3a0fccc9 | |||
| c224e31a66 | |||
| 4892192b85 | |||
| 79aee346a2 | |||
| 4e84ec0f2b | |||
| 3401da37ff | |||
| 1124893498 | |||
| 1557f7ba22 | |||
| 6c344fae05 | |||
| cb8352787d | |||
| 9a33149e9e | |||
| a56ce17b34 | |||
| a8bf8f61b4 | |||
| 7b1571b0ed | |||
| 3ecbf1a5a0 | |||
| 445485ecc5 | |||
| 1bceed1373 | |||
| 850636970c | |||
| 9a1803b3e6 | |||
| c51c95e007 | |||
| 2687868465 | |||
| 38707412b3 | |||
| 8cd89621b2 | |||
| 425365d22a | |||
| 63806bde22 | |||
| 96299e1386 | |||
| bf015c9238 | |||
| 589d447f19 | |||
| ddc09cca50 | |||
| ae2d4a573b | |||
| 5be05fe43e | |||
| f90df5c2c6 | |||
| 6bbcd95069 | |||
| b839c32b50 | |||
| 9b062aa27d | |||
| 4a2ece217b | |||
| a7577ff85e | |||
| 4e81e1e750 | |||
| c27ebfe6ae | |||
| d84f2b32d5 | |||
| 9cb67bfb87 | |||
| ba1774bdbf | |||
| cb8ff5d878 | |||
| a6e01c071e | |||
| 5a0f2da202 | |||
| 3b2d50d657 | |||
| 52d7de305c | |||
| 64a0d4dd3d | |||
| ffbd161e29 | |||
| ba1c14291d | |||
| 4c4ccc88ba | |||
| c1b33453c3 | |||
| 6cede0a7f2 | |||
| 3b518b9b3a | |||
| 039d9a12cc | |||
| 6424679b85 | |||
| 30c91e2345 | |||
| ad726a92ce | |||
| 7cc8fc18a2 | |||
| 17289b1040 | |||
| 0580ec6d7e | |||
| 4b5bd5757c | |||
| 61680de401 | |||
| 0fc4450766 | |||
| db99364ae6 | |||
| 25c401c653 | |||
| 311d490566 | |||
| ba69d2d4bd | |||
| 82fc42d093 | |||
| 10fc48b9ad | |||
| b8fe38853f | |||
| e03dddde67 | |||
| 15064a0b45 | |||
| a2d275366c | |||
| 5c18904e39 |
@@ -9,9 +9,9 @@ We primarily use GitHub as an issue tracker. If however you're encountering an i
|
||||
|
||||
---
|
||||
|
||||
Please make sure you have read our [main Readme](https://github.com/numerique-gouv/oidc2fer).
|
||||
Please make sure you have read our [main Readme](https://github.com/proconnect-gouv/oidc2fer).
|
||||
|
||||
Also make sure it was not already answered in [an open or close issue](https://github.com/numerique-gouv/oidc2fer/issues).
|
||||
Also make sure it was not already answered in [an open or close issue](https://github.com/proconnect-gouv/oidc2fer/issues).
|
||||
|
||||
If your question was not covered, and you feel like it should be, fire away! We'd love to improve our docs! 👌
|
||||
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
name: 🐳 Build docker images
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- 'main'
|
||||
tags:
|
||||
- 'v*'
|
||||
pull_request:
|
||||
branches:
|
||||
- 'main'
|
||||
|
||||
jobs:
|
||||
build-and-push:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
packages: write
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
|
||||
|
||||
- name: Docker meta
|
||||
id: meta
|
||||
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
|
||||
with:
|
||||
images: ghcr.io/${{ github.repository }}
|
||||
tags: |
|
||||
type=ref,event=branch
|
||||
type=ref,event=tag
|
||||
type=ref,event=pr
|
||||
type=sha,prefix=sha-
|
||||
# set latest tag for default branch
|
||||
type=raw,value=latest,enable={{is_default_branch}}
|
||||
|
||||
- name: Login to Github Container Registry
|
||||
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ github.token }}
|
||||
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
|
||||
with:
|
||||
context: .
|
||||
target: production
|
||||
platforms: linux/amd64,linux/arm64
|
||||
push: true
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
|
||||
notify-argocd:
|
||||
runs-on: ubuntu-latest
|
||||
if: |
|
||||
github.event_name != 'pull_request'
|
||||
needs:
|
||||
- build-and-push
|
||||
steps:
|
||||
- uses: numerique-gouv/action-argocd-webhook-notification@cac2ee67896eb13e84e804f60c4271370424eaa8 # main
|
||||
id: notify
|
||||
with:
|
||||
deployment_repo_path: "${{ github.repository }}"
|
||||
argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}"
|
||||
argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}"
|
||||
@@ -1,4 +1,4 @@
|
||||
name: OIDC2FER Workflow
|
||||
name: 💚 CI Tests
|
||||
|
||||
on:
|
||||
push:
|
||||
@@ -16,14 +16,14 @@ jobs:
|
||||
if: github.event_name == 'pull_request' # Makes sense only for pull requests
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: show
|
||||
run: git log
|
||||
- name: Enforce absence of print statements in code
|
||||
run: |
|
||||
! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude)**/oidc2fer.yml' | grep "print("
|
||||
! git diff origin/${{ github.event.pull_request.base.ref }}..HEAD -- . ':(exclude).github/**' | grep "print("
|
||||
- name: Check absence of fixup commits
|
||||
run: |
|
||||
! git log | grep 'fixup!'
|
||||
@@ -39,17 +39,17 @@ jobs:
|
||||
github.event_name == 'pull_request'
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Check that the CHANGELOG has been modified in the current branch
|
||||
run: git whatchanged --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG
|
||||
run: git log --name-only --pretty="" origin/${{ github.event.pull_request.base.ref }}..HEAD | grep CHANGELOG
|
||||
|
||||
lint-changelog:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
- name: Check CHANGELOG max line length
|
||||
run: |
|
||||
max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L)
|
||||
@@ -65,11 +65,11 @@ jobs:
|
||||
working-directory: src/satosa
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@v3
|
||||
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
|
||||
with:
|
||||
python-version: '3.11'
|
||||
python-version: '3.14'
|
||||
- name: Install development dependencies
|
||||
run: |
|
||||
# Python's xmlsec requirement
|
||||
@@ -89,11 +89,11 @@ jobs:
|
||||
working-directory: src/satosa
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
- name: Install Python
|
||||
uses: actions/setup-python@v3
|
||||
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
|
||||
with:
|
||||
python-version: '3.11'
|
||||
python-version: '3.14'
|
||||
- name: Install development dependencies
|
||||
run: |
|
||||
# Python's xmlsec requirement
|
||||
@@ -101,3 +101,45 @@ jobs:
|
||||
pip install --user .[dev]
|
||||
- name: Run tests
|
||||
run: ~/.local/bin/pytest
|
||||
|
||||
helmfile-lint:
|
||||
runs-on: ubuntu-latest
|
||||
# skip this job on forks since they won't have access to the required secrets
|
||||
if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
|
||||
container:
|
||||
image: ghcr.io/helmfile/helmfile:v1.2.0
|
||||
steps:
|
||||
-
|
||||
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
|
||||
id: app-token
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
owner: numerique-gouv
|
||||
repositories: secrets
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
with:
|
||||
submodules: recursive
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
-
|
||||
name: Install mkcert
|
||||
run: |
|
||||
apt-get update -y -q && apt-get install -y -q libnss3-tools
|
||||
curl -Ss -L -o mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
|
||||
chmod +x mkcert
|
||||
mv mkcert /usr/local/bin/
|
||||
TRUST_STORES=none mkcert -install
|
||||
-
|
||||
name: Helmfile lint
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ secrets.SOPS_PRIVATE }}
|
||||
run: |
|
||||
HELMFILE=src/helm/helmfile.yaml.gotmpl
|
||||
environments=$(< $HELMFILE awk -F'[ :]+' '/^ [^ ]/ {print $2} /^---/ { exit }')
|
||||
for env in $environments; do
|
||||
echo "################### $env lint ###################"
|
||||
helmfile -e $env -f "$HELMFILE" lint || exit 1
|
||||
echo -e "\n"
|
||||
done
|
||||
@@ -1,71 +0,0 @@
|
||||
name: Docker Hub Workflow
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- 'main'
|
||||
tags:
|
||||
- 'v*'
|
||||
pull_request:
|
||||
branches:
|
||||
- 'main'
|
||||
|
||||
jobs:
|
||||
build-and-push:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
-
|
||||
name: Docker meta
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: lasuite/oidc2fer
|
||||
-
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
with:
|
||||
secret-file: .github/workflows/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Login to DockerHub
|
||||
run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
|
||||
-
|
||||
name: Build and push
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: .
|
||||
target: production
|
||||
platforms: linux/amd64,linux/arm64
|
||||
push: true
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
|
||||
notify-argocd:
|
||||
runs-on: ubuntu-latest
|
||||
if: |
|
||||
github.event_name != 'pull_request'
|
||||
needs:
|
||||
- build-and-push
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
with:
|
||||
secret-file: .github/workflows/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Call argocd github webhook
|
||||
run: |
|
||||
data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
|
||||
sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
|
||||
curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL
|
||||
@@ -1,17 +0,0 @@
|
||||
SOPS_PRIVATE=ENC[AES256_GCM,data:k9v8gJJ1ZTDbN8mR9NegKpCC8Kbv9ZqWDx3nhs6YAC6U2gxI0RDg5KRx0juym+5DPEVG4ck8y+ju/4uthRUZd0JkexEJX0WKFTo=,iv:hucEFAC/FTQsE4A+JmuY1PeJJcBRAWUqEul5wplVsJ8=,tag:uCYu26tM4hlheT8bCInA6A==,type:str]
|
||||
DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:gsq8AIbLENiXfOg=,iv:48QhtPLRq0yWpffQPxmkb1FLOkNQ2vp1/o+fnU6QM/o=,tag:s7ADhOZ314EWMc82kRvK+A==,type:str]
|
||||
DOCKER_HUB_USER=ENC[AES256_GCM,data:/+bIx0jMNg==,iv:Em3MIFQ8B457gwkRGB0JkRknpEQ1maiqW42gh9/DWDY=,tag:Hc8ZHDludj8up7r0tH2FRw==,type:str]
|
||||
ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:JHzooEYiqWdH4MjcNT3lL0fxY6YlfyhP6kM0kV6NPBnTtI46ip7nMXZoChkQT7CoPTof3IjMdJaD,iv:/CRQTZhnSi0UxgVd0crnvlVJfStIbYCG3cMTkejW0tU=,tag:p8QAWnwa+M4m9WSQMr7Obw==,type:str]
|
||||
ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:oQyuVQFPmhLIL14hWK0vUxo+r/QEj8hb2uY6bntlEyNqrFg7NOameWFn+dvCsN+C90HT9wD9yhu9aXsV92cJxDI=,iv:MVeeLpJU4taPqoGvJ8bqh6bfLHntRfqic/kIBPY/WV4=,tag:gJXkjUvSjrGjqPqCw6mRyA==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQy9CUXhYSTVoMnNGZWda\nUUJuYnd4VVM0YW1tRHhIUjNoQnZ3cEc5ZkdFCmg2a3dkcGNVSGFWd2hBa3pVUU5H\nVlMzSHd1VlBBdVZHTXA4S214UkQvSzQKLS0tIDVjTCtHSnJDZ2pOOG5ONW1zbTY1\neHZpRlZqVlhaVkpsR0VwRHBWZ0d4VjQKQUFraK9M2bFItVmQ7l9Z59SY9YkhGzy3\nON3028ZP4Xfvr+8FaQj0xS/5rnHTFIKLmW7bbvvPWeBW/LFvfxaUcw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWnVKM2hwdXdDYXhVUzh0\nSGxrUWNYa25KcWdvRUxWNHl1eU1UdjN3UVNNCkJ2Y3FZblBMWlpUKzE2bW1HZUJF\nZldzKzhrWVhHd0RKN01Ub3JLYkNlZGMKLS0tIEJDTy9OUVNOTVdKQ1Y4eGpqUnIv\neTRTa1UrU3Q1LzVkZWpPaXpsamRXVGcK3PBKBPIVV58HT6UGOovjzgxqlrhDo/S7\nhIye04YRyGNZamnff0gOA0n9wXrcvTyFYiv5o9CFQtfg082j7ii70w==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_1__map_recipient=age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWndDNDBoMGxuRFhTalJu\nNnZVYXBwTjhsY3BXZmV6ZW1jQkZ2bExIQmowClZCZmU5L3p4SmVXSmV1YnpXT2lm\nSFlpQ0o0cENtYVRvQ05vWE5XTCtNV3MKLS0tIG9oVDIrdElpd01JUEpRK1hmaWZq\ndE4yQks5dkRRbk9ZN2o3UHQxeHhlMXcKXBZxVw/yVb+qM+puQYOqqUHEsNggZ9LX\nkVOelk2UijLUHx9VCoerrJkfI3mUKCsNCvwnrL2bqezHgg+VhPhukw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_2__map_recipient=age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N1h1OW4wRVh5YkR5TkJ5\nQTlDK2RUSkIzWjJwUnp3b2todm5FVVJPWnlZCjhJc1JZcEQ3KzJYRVBQLytOM3JG\nYUFJdHZDTlN3RXpyZlluWU13c0VET1UKLS0tIGhJZmJZNUx5TWl1YnFJN0RWeEkv\nWjZoZzZiM2lkMlFabXEvMnhaYUdxY1UK3d/SWz3fcij+4W4tq1zRFK+4sCYHTCxS\nEuT/a+St02Eirrg9SW3b52T1RvZriOQAR/VUG09pjjGliaf/oW0pVQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_3__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
sops_lastmodified=2024-04-18T10:38:19Z
|
||||
sops_mac=ENC[AES256_GCM,data:HGGl4gcXnli8Z7P2P1MspygWRIHJqTLesf/QpiUUC6qH07Qx5bhN5fA1Oo3WTcz+fXkfAY8SV2RZb2CHxo/NouCiATw7vodX1ttwvsUE6RLgdjvMJl4ecWucZMiBdBtpFF4IHrKxswQg1FEdT8U/JP3Gw0TxxaRXIqskXkytp9E=,iv:fPcbne5lDa6+b+DqB+Q2pJ11EB9Vfpvqd9yextCjv7U=,tag:MkVoOpIApCIluFzsazl16w==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.8.1
|
||||
@@ -0,0 +1,3 @@
|
||||
[submodule "secrets"]
|
||||
path = secrets
|
||||
url = ../../numerique-gouv/secrets
|
||||
-10
@@ -1,10 +0,0 @@
|
||||
creation_rules:
|
||||
# Using a single-key group to be able to use per-key comments,
|
||||
# see https://github.com/getsops/sops/issues/845#issuecomment-1364109772
|
||||
- key_groups:
|
||||
- age:
|
||||
- age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x # Jacques
|
||||
- age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e # Jonathan
|
||||
- age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj # github-repo
|
||||
- age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw # argocd
|
||||
|
||||
@@ -6,6 +6,49 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
|
||||
and this project adheres to
|
||||
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [1.0.13] - 2026-03-26
|
||||
- switch to stateless OIDC and remove Redis
|
||||
|
||||
## [1.0.12] - 2026-03-02
|
||||
- upgrade dependencies: Python 3.14.3, gunicorn 25.1.0…
|
||||
|
||||
## [1.0.11] - 2025-11-24
|
||||
- remove setuptools, wheel and pip from production Docker image
|
||||
|
||||
## [1.0.10] - 2025-11-21
|
||||
- rename helmfile.yaml for compatibility with helmfile 1.x
|
||||
|
||||
## [1.0.9] - 2025-10-03
|
||||
- map SAML entity IDs to SIRET (#34)
|
||||
- include ACR claim in ID token only if requested (#32)
|
||||
|
||||
## [1.0.8] - 2025-09-10
|
||||
- fix secrets submodule path following move to `proconnect-gouv` organization
|
||||
- update other references to `numerique-gouv` organization
|
||||
- publish Docker images at ghcr.io/proconnect-gouv/oidc2fer
|
||||
|
||||
## [1.0.7] - 2025-05-07
|
||||
- remove unused APT dependencies
|
||||
- upgrade to gunicorn 23.0.0
|
||||
|
||||
## [1.0.6] - 2025-03-11
|
||||
- upgrade to SATOSA 8.5.1
|
||||
- allow faculty, staff, employee, researcher, teacher affiliations
|
||||
|
||||
## [1.0.5] - 2025-03-06
|
||||
- add allowlist for URL paths to nginx ingress
|
||||
- allow customizing log levels per logger
|
||||
|
||||
## [1.0.4] - 2024-09-11
|
||||
- serve static files
|
||||
|
||||
## [1.0.3] - 2024-09-02
|
||||
- set SAML signing algorithm to use SHA256 for compatibility with AccessCheck
|
||||
|
||||
## [1.0.2] - 2024-07-22
|
||||
- check the scope of returned eduPersonPrincipalNames
|
||||
- require "employee" value in eduPersonAffiliation
|
||||
|
||||
## [1.0.1] - 2024-06-04
|
||||
- enable JSON logging and LOG_LEVEL environment variable
|
||||
- add production configuration
|
||||
|
||||
+17
-14
@@ -1,25 +1,23 @@
|
||||
# ---- base image to inherit from ----
|
||||
FROM python:3.11-slim-bookworm as common
|
||||
FROM python:3.14.3-slim-trixie AS common
|
||||
|
||||
# Install xmlsec1 dependencies required for xmlsec (for SAML)
|
||||
# Needs to be kept before the `pip install`
|
||||
RUN apt-get update && \
|
||||
RUN export DEBIAN_FRONTEND=noninteractive && \
|
||||
apt-get update && \
|
||||
apt-get -y upgrade && \
|
||||
apt-get install -y \
|
||||
pkg-config \
|
||||
gcc \
|
||||
xmlsec1 \
|
||||
libxml2-dev \
|
||||
libxmlsec1-dev \
|
||||
libxmlsec1-openssl && \
|
||||
apt-get install -qy --no-install-recommends xmlsec1 && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Silence pip warnings about running as root in a container
|
||||
ENV PIP_ROOT_USER_ACTION=ignore
|
||||
|
||||
# We want the most up-to-date stable pip release
|
||||
RUN pip install --upgrade pip
|
||||
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
|
||||
# Give the "root" group the same permissions as the "root" user on /etc/passwd
|
||||
# Give the "root" group the same permissions AS the "root" user on /etc/passwd
|
||||
# to allow a user belonging to the root group to add new users; typically the
|
||||
# docker user (see entrypoint).
|
||||
RUN chmod g=u /etc/passwd
|
||||
@@ -38,10 +36,14 @@ RUN mkdir -p /usr/local/etc/gunicorn
|
||||
COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satosa.py
|
||||
|
||||
# The default command runs gunicorn WSGI server in satosa's main module
|
||||
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py", "satosa.wsgi:app"]
|
||||
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"]
|
||||
|
||||
# ---- Development image ----
|
||||
FROM common as development
|
||||
FROM common AS development
|
||||
|
||||
# Install curl (for healthchecks)
|
||||
RUN export DEBIAN_FRONTEND=noninteractive && \
|
||||
apt-get update && apt-get install -qy curl
|
||||
|
||||
# Playwright browsers
|
||||
ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers
|
||||
@@ -67,14 +69,15 @@ COPY ./src/satosa /app/
|
||||
USER ${DOCKER_USER}
|
||||
|
||||
# ---- Production image (keep last so it is the default target) ----
|
||||
FROM common as production
|
||||
FROM common AS production
|
||||
|
||||
# Copy oidc2fer application (see .dockerignore)
|
||||
COPY ./src/satosa /app/
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
RUN pip install .
|
||||
# Uninstall pip, setuptools and wheel after installation to reduce attack surface
|
||||
RUN pip install . && pip uninstall -y setuptools wheel pip
|
||||
|
||||
# Switch to unprivileged user
|
||||
USER ${DOCKER_USER}
|
||||
|
||||
@@ -47,6 +47,29 @@ Finally, you can check all available Make rules using:
|
||||
$ make help
|
||||
```
|
||||
|
||||
## Creating a release
|
||||
|
||||
1. Update `CHANGELOG.md` to change the `Unreleased` header to the new version
|
||||
number and date.
|
||||
2. Commit and push to `main`.
|
||||
3. Create a `vX.Y.Z` tag from `main` and push it.
|
||||
|
||||
## Deploying a release to production (DINUM instance)
|
||||
|
||||
1. Make sure the release you want to deploy has been built and appears on
|
||||
https://github.com/proconnect-gouv/oidc2fer/pkgs/container/oidc2fer
|
||||
2. Edit `image/tag` at the top of
|
||||
`src/helm/env.d/outscale-production/values.oidc2fer.yaml.gotmpl`.
|
||||
3. Commit and push to `main`.
|
||||
4. Update the `production` tag and push it.
|
||||
|
||||
## Environment variables
|
||||
|
||||
| variable | usage |
|
||||
| --- | --- |
|
||||
| `LOG_LEVEL` | Sets the log level for the root logger, i.e. the default. Defaults to `INFO`. |
|
||||
| `LOG_LEVELS` | A JSON object that can be used to set log levels for specific loggers, e.g. `{"satosa.backends.saml2": "DEBUG"}`. Defaults to `{}`. |
|
||||
|
||||
## Contributing
|
||||
|
||||
This project is intended to be community-driven, so please, do not hesitate to
|
||||
|
||||
@@ -13,6 +13,11 @@ docker_build(
|
||||
]
|
||||
)
|
||||
|
||||
docker_build(
|
||||
'localhost:5001/oidc-test-client:latest',
|
||||
context='docker/oidc-test-client'
|
||||
)
|
||||
|
||||
watch_file('src/helm')
|
||||
|
||||
k8s_yaml(local('cd src/helm && helmfile -n oidc2fer -e dev template .'))
|
||||
|
||||
+12
-9
@@ -13,8 +13,8 @@ services:
|
||||
BASE_URL: https://satosa.traefik.me
|
||||
GUNICORN_CMD_ARGS: --workers=2
|
||||
TEST_E2E: 1
|
||||
#TEST_E2E_AC: 1
|
||||
OIDC_DB_URI: redis://redis/0
|
||||
#TEST_E2E_PC: 1
|
||||
OIDC_DB_URI: stateless://:STATE-ENCRYPTION-KEY@localhost
|
||||
CLIENT_DB_JSON: |
|
||||
{
|
||||
"oidc-test-client": {
|
||||
@@ -30,15 +30,21 @@ services:
|
||||
}
|
||||
}
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/idps.xml
|
||||
SAML2_ENTITY_ID: https://satosa.traefik.me/Saml2/proxy_saml2_backend.xml
|
||||
env_file:
|
||||
- env.d/development/common
|
||||
- env.d/development/satosa
|
||||
volumes:
|
||||
- ./src/satosa:/app
|
||||
- ./docker/files/usr/local/etc/gunicorn/satosa.py:/usr/local/etc/gunicorn/satosa.py
|
||||
depends_on:
|
||||
- redis
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "--fail", "http://localhost:8000/ping"]
|
||||
interval: 60s
|
||||
timeout: 5s
|
||||
retries: 3
|
||||
start_period: 30s
|
||||
start_interval: 1s
|
||||
|
||||
oidc-test-client:
|
||||
build: docker/oidc-test-client
|
||||
@@ -65,13 +71,10 @@ services:
|
||||
#OIDC_PROVIDER: https://oidc2fer-staging.beta.numerique.gouv.fr
|
||||
OIDC_CLIENT_ID: oidc-test-client
|
||||
OIDC_CLIENT_SECRET: oidc-test-secret
|
||||
OIDC_SCOPES: openid,uid,given_name,usual_name,email
|
||||
OIDC_SCOPES: openid,uid,given_name,usual_name,email,siret
|
||||
extra_hosts:
|
||||
- "oidc2fer.127.0.0.1.nip.io:host-gateway"
|
||||
|
||||
redis:
|
||||
image: redis:7.2.4
|
||||
|
||||
nginx:
|
||||
image: nginx:1.25
|
||||
ports:
|
||||
|
||||
@@ -39,11 +39,5 @@ printenv SAML2_BACKEND_KEY > /tmp/backend.key
|
||||
printenv OIDC_FRONTEND_KEY > /tmp/frontend.key
|
||||
printenv CLIENT_DB_JSON > /tmp/client_db.json
|
||||
|
||||
# Redis database number must be specified
|
||||
if [[ ! $OIDC_DB_URI =~ /[0-9]+$ ]]; then
|
||||
echo "🐳(entrypoint) adding db id to OIDC_DB_URI"
|
||||
export OIDC_DB_URI=$OIDC_DB_URI/0
|
||||
fi
|
||||
|
||||
echo "🐳(entrypoint) running your command: ${*}"
|
||||
exec "$@"
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import datetime
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
import sys
|
||||
@@ -29,6 +30,8 @@ class RequestJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
url += f"?{record.args['q']}"
|
||||
|
||||
return {
|
||||
"logger": record.name,
|
||||
"level": record.levelname,
|
||||
"remote_ip": record.args["h"],
|
||||
"method": record.args["m"],
|
||||
"path": url,
|
||||
@@ -37,7 +40,7 @@ class RequestJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
"user_agent": record.args["a"],
|
||||
"referer": record.args["f"],
|
||||
"duration_in_ms": record.args["M"],
|
||||
"poppid": record.process,
|
||||
"pid": record.process,
|
||||
}
|
||||
|
||||
|
||||
@@ -55,14 +58,27 @@ class DefaultJSONFormatter(json_log_formatter.JSONFormatter):
|
||||
payload: dict[str, str | int | float] = super().json_record(
|
||||
message, extra, record
|
||||
)
|
||||
payload["logger"] = record.name
|
||||
payload["level"] = record.levelname
|
||||
payload["pid"] = record.process
|
||||
return payload
|
||||
|
||||
|
||||
class NoPingFilter(logging.Filter):
|
||||
"""
|
||||
Filters out /ping requests from the access log.
|
||||
"""
|
||||
|
||||
def filter(self, record: logging.LogRecord) -> bool:
|
||||
return not( record.args.get("m", "") == "GET"
|
||||
and record.args.get("U", "") == "/ping"
|
||||
and str(record.args.get("s", "")) == "200" )
|
||||
|
||||
|
||||
bind = ["0.0.0.0:8000"]
|
||||
name = "satosa"
|
||||
python_path = "/app"
|
||||
wsgi_app = "oidc2fer.wsgi:app"
|
||||
|
||||
# Run
|
||||
graceful_timeout = 90
|
||||
@@ -75,6 +91,9 @@ accesslog = "-"
|
||||
errorlog = "-"
|
||||
loglevel = os.environ.get("LOG_LEVEL", "INFO")
|
||||
|
||||
loglevels_json = os.environ.get("LOG_LEVELS", "{}")
|
||||
loglevels = json.loads(loglevels_json)
|
||||
|
||||
logconfig_dict = {
|
||||
"version": 1,
|
||||
"disable_existing_loggers": True,
|
||||
@@ -94,7 +113,24 @@ logconfig_dict = {
|
||||
"handlers": ["json_request"],
|
||||
"propagate": False,
|
||||
"qualname": "gunicorn.access",
|
||||
"filters": [NoPingFilter()],
|
||||
},
|
||||
"satosa.base": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.state": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.proxy_server": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.routing": {
|
||||
"level": "INFO",
|
||||
},
|
||||
"satosa.frontends.ping": {
|
||||
"level": "INFO",
|
||||
},
|
||||
**{k: {"level": v.upper()} for k, v in loglevels.items()},
|
||||
},
|
||||
"formatters": {
|
||||
"json_request": {
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM python:3.11
|
||||
FROM python:3.14.3-slim-trixie
|
||||
|
||||
COPY . /app
|
||||
|
||||
|
||||
@@ -2,13 +2,10 @@ from flask import Flask, jsonify, request, session
|
||||
from oic.oic import Client
|
||||
from oic.utils.authn.client import CLIENT_AUTHN_METHOD
|
||||
from oic import rndstr
|
||||
from oic.oic.message import RegistrationResponse
|
||||
from oic.oic.message import Claims, ClaimsRequest, RegistrationResponse
|
||||
from oic.utils.http_util import Redirect
|
||||
from oic.oic.message import AuthorizationResponse
|
||||
import secrets
|
||||
import webbrowser
|
||||
import threading
|
||||
import time
|
||||
import logging
|
||||
import os
|
||||
|
||||
@@ -52,6 +49,7 @@ def index():
|
||||
"nonce": session["nonce"],
|
||||
"redirect_uri": client.registration_response["redirect_uris"][0],
|
||||
"state": session["state"],
|
||||
"claims": ClaimsRequest(id_token=Claims(acr=None, amr=None)),
|
||||
}
|
||||
)
|
||||
login_url = auth_req.request(client.authorization_endpoint)
|
||||
@@ -68,6 +66,12 @@ def oidc_callback():
|
||||
|
||||
assert aresp["state"] == session["state"]
|
||||
|
||||
if "error" in aresp:
|
||||
return jsonify(
|
||||
error_response=aresp.to_dict(),
|
||||
)
|
||||
|
||||
|
||||
code = aresp["code"]
|
||||
logging.info("got auth code=%s", code)
|
||||
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
Flask==3.0.3
|
||||
oic==1.6.1
|
||||
oic==1.7.0
|
||||
|
||||
@@ -0,0 +1,93 @@
|
||||
# Principe de fonctionnement de la passerelle ProConnect vers RENATER (`OIDC2FER`)
|
||||
|
||||
## Vue d'ensemble
|
||||
|
||||
Ce premier schéma donne un aperçu des échanges entre :
|
||||
* un Fournisseur de Service ProConnecté (ex. https://pad.numerique.gouv.fr) ;
|
||||
* le service ProConnect (hébergé sur `https://auth.agentconnect.gouv.fr`) ;
|
||||
* la passerelle `OIDC2FER` (hébergé sur `https://renater.agentconnect.gouv.fr`) ;
|
||||
* le service de _discovery_ ou _Where Are You From (WAYF)_ RENATER qui permet à l'utilisateur de choisir son établissement de rattachement, hébergé sur https://discovery.renater.fr/agentconnect/ ;
|
||||
* le serveur d'identité SAML de l'établissement sélectionné (par exemple, https://cas.inria.fr).
|
||||
|
||||
``` mermaid
|
||||
sequenceDiagram
|
||||
participant FS as Fournisseur<br>de Service
|
||||
participant ProConnect
|
||||
box LightYellow
|
||||
participant OIDC2FER
|
||||
end
|
||||
participant WAYF as WAYF<br>RENATER
|
||||
participant IdP as IdP SAML
|
||||
|
||||
FS->>ProConnect: OIDC auth request
|
||||
ProConnect->>OIDC2FER: OIDC auth request
|
||||
OIDC2FER->>WAYF: discovery request
|
||||
WAYF->>OIDC2FER: IdP entityID
|
||||
OIDC2FER->>IdP: SAML AuthnRequest
|
||||
IdP->>OIDC2FER: SAML Assertion
|
||||
OIDC2FER->>ProConnect: OIDC tokens+userinfo
|
||||
ProConnect->>FS: OIDC tokens+userinfo
|
||||
```
|
||||
|
||||
## Détail des échanges
|
||||
|
||||
Noter que le schéma précédent ne reflète pas le détail des échanges entre l'utilisateur, son navigateur (qu'il est utile de distinguer pour illustrer que plusieurs échanges se font sans intervention humaine), et les différents services mentionnés. En voici une version exhaustive :
|
||||
|
||||
``` mermaid
|
||||
sequenceDiagram
|
||||
actor Utilisateur
|
||||
participant Navigateur
|
||||
participant FS as Fournisseur<br>de Service
|
||||
participant ProConnect
|
||||
box LightYellow
|
||||
participant OIDC2FER
|
||||
end
|
||||
participant WAYF as WAYF<br>RENATER
|
||||
participant IdP SAML
|
||||
|
||||
Utilisateur->>Navigateur: Saisie/clic URL FS
|
||||
Navigateur->>FS: Requête d'une page du FS
|
||||
opt si pas de session FS ouverte
|
||||
FS->>Utilisateur: Présentation page d'accueil avec bouton ProConnect
|
||||
Utilisateur->>FS: Clic bouton ProConnect
|
||||
FS->>Navigateur: Redirection OIDC vers ProConnect avec state, nonce
|
||||
Navigateur->>ProConnect: Requête GET avec state, nonce
|
||||
opt si pas de session ProConnect ouverte
|
||||
ProConnect->>Utilisateur: Présentation mire ProConnect
|
||||
Utilisateur->>ProConnect: Clic bouton RENATER, ou saisie "robert@univ-exemple.fr"
|
||||
ProConnect->>Navigateur: Redirection OIDC vers OIDC2FER avec state, nonce
|
||||
Navigateur->>OIDC2FER: Requête GET avec state, nonce
|
||||
OIDC2FER->>Navigateur: Redirection vers WAYF
|
||||
Navigateur->>WAYF: Requête GET
|
||||
opt si pas de préselection enregistrée dans le WAYF
|
||||
WAYF->>Utilisateur: Présentation liste d'établissements autorisés
|
||||
Utilisateur->>WAYF: Choix d'un établissement
|
||||
end
|
||||
WAYF->>Navigateur: Redirection vers OIDC2FER avec entityID IdP
|
||||
Navigateur->>OIDC2FER: Requête GET avec entityID IdP
|
||||
OIDC2FER->>Navigateur: Redirection vers IdP avec AuthnRequest SAML dans l'URL
|
||||
Navigateur->>IdP SAML: Requête GET avec AuthnRequest SAML dans l'URL
|
||||
opt si pas de session IdP ouverte
|
||||
IdP SAML->>Utilisateur: Présentation mire de connexion IdP
|
||||
Utilisateur->>IdP SAML: Saisie identifiants de connexion
|
||||
end
|
||||
IdP SAML->>Navigateur: Page avec formulaire contenant assertion SAML
|
||||
Navigateur->>OIDC2FER: Requête POST avec assertion SAML
|
||||
Note over OIDC2FER: Validation<br>eduPersonAffiliation
|
||||
Note over OIDC2FER: Conversion attributs<br>SAML vers OIDC
|
||||
OIDC2FER->>Navigateur: Redirection vers callback OIDC ProConnect avec authorization_code
|
||||
Navigateur->>ProConnect: Requête GET avec authorization_code
|
||||
ProConnect->>OIDC2FER: Demande tokens avec authorization_code
|
||||
OIDC2FER->>ProConnect: Tokens OIDC
|
||||
ProConnect->>OIDC2FER: Demande userinfo avec accessToken
|
||||
OIDC2FER->>ProConnect: userinfo
|
||||
end
|
||||
ProConnect->>Navigateur: Redirection vers callback OIDC FS avec authorization_code
|
||||
Navigateur->>FS: Requête GET avec authorization_code
|
||||
FS->>ProConnect: Demande tokens avec authorization_code
|
||||
ProConnect->>FS: Tokens OIDC
|
||||
FS->>ProConnect: Demande userinfo avec accessToken
|
||||
ProConnect->>FS: userinfo
|
||||
end
|
||||
FS->>Utilisateur: Contenu du service
|
||||
```
|
||||
Executable
+4
@@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
git submodule update --init --recursive
|
||||
git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'
|
||||
Submodule
+1
Submodule secrets added at aa2de36cd8
@@ -0,0 +1,22 @@
|
||||
image:
|
||||
repository: localhost:5001/oidc-test-client
|
||||
pullPolicy: Always
|
||||
tag: "latest"
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
host: oidc-test-client.127.0.0.1.nip.io
|
||||
|
||||
env:
|
||||
- name: OIDC_ROOT_URL
|
||||
value: https://oidc-test-client.127.0.0.1.nip.io
|
||||
- name: OIDC_PROVIDER
|
||||
value: https://oidc2fer.127.0.0.1.nip.io
|
||||
- name: OIDC_CLIENT_ID
|
||||
value: oidc-test-client
|
||||
- name: OIDC_CLIENT_SECRET
|
||||
value: oidc-test-secret
|
||||
- name: OIDC_SCOPES
|
||||
value: openid,uid,given_name,usual_name,email,siret
|
||||
- name: EXTRA_ROOT_CA
|
||||
value: {{ exec "mkcert" (list "-CAROOT") | trim | printf "%s/rootCA.pem" | readFile | quote }}
|
||||
@@ -5,36 +5,57 @@ image:
|
||||
|
||||
satosa:
|
||||
replicas: 1
|
||||
envVars:
|
||||
BASE_URL: https://oidc2fer.127.0.0.1.nip.io
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
env:
|
||||
- name: BASE_URL
|
||||
value: https://oidc2fer.127.0.0.1.nip.io
|
||||
|
||||
- name: GUNICORN_CMD_ARGS
|
||||
value: --workers=3
|
||||
|
||||
LOG_LEVEL: debug
|
||||
- name: LOG_LEVEL
|
||||
value: debug
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
- name: SAML2_DISCOVERY_URL
|
||||
value: https://discovery.renater.fr/test/
|
||||
- name: SAML2_METADATA_URL
|
||||
value: https://pub.federation.renater.fr/metadata/test/idps.xml
|
||||
- name: SAML2_ENTITY_ID
|
||||
value: https://oidc2fer.127.0.0.1.nip.io/Saml2/proxy_saml2_backend.xml
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
- name: STATE_ENCRYPTION_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
- name: SAML2_BACKEND_CERT
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
- name: SAML2_BACKEND_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
- name: OIDC_FRONTEND_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
|
||||
OIDC_DB_URI: "redis://:pass@redis-master:6379"
|
||||
CLIENT_DB_JSON: |-
|
||||
{
|
||||
"oidc-test-client": {
|
||||
"response_types": [
|
||||
"id_token",
|
||||
"code"
|
||||
],
|
||||
"redirect_uris": [
|
||||
"https://oidc-test-client.traefik.me/redirect_uri",
|
||||
"https://oidc-test-client.traefik.me:8443/redirect_uri"
|
||||
],
|
||||
"client_secret": "oidc-test-secret",
|
||||
"token_endpoint_auth_method": "client_secret_post"
|
||||
- name: OIDC_DB_URI
|
||||
value: "stateless://:$(STATE_ENCRYPTION_KEY)@localhost"
|
||||
|
||||
- name: CLIENT_DB_JSON
|
||||
value: |-
|
||||
{
|
||||
"oidc-test-client": {
|
||||
"response_types": [
|
||||
"id_token",
|
||||
"code"
|
||||
],
|
||||
"redirect_uris": [
|
||||
"https://oidc-test-client.traefik.me/redirect_uri",
|
||||
"https://oidc-test-client.traefik.me:8443/redirect_uri",
|
||||
"https://oidc-test-client.127.0.0.1.nip.io/redirect_uri"
|
||||
],
|
||||
"client_secret": "oidc-test-secret",
|
||||
"token_endpoint_auth_method": "client_secret_post"
|
||||
}
|
||||
}
|
||||
- name: SIRET_MAP
|
||||
value: |-
|
||||
{
|
||||
"https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010"
|
||||
}
|
||||
}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:bNRbntCYIa0YLGpvPaxomPz2TvrlUtniv9ehs6hdTSvR0DQqiiNq3f04nGKNvDTHzm3rxF/fvLPQFpEFN651iCvyeolvemzDwUlxxcCtgzcLso3VCLtIjaEFr3mWrcQZdOTSA1LbSNrXnmkKbz26tm66NnSr0GqAuj4M6uq2W14W951DP5DMEAIKdLVpIBLPtuj7LfrO8wHYsa5bQHfEby/SVCV33y6GD7NWQP+Og+z8cW+H1trGrySD54JpPWvC866wVXf5+9W5QTa0YAZfXgACnTeDrUGKHQupa/KnE8HPLN2RYBB0riDXfmTZt7sVBGyjFHFTDxDwhCsVfgl2LSXUurWN3R0KsJz9r/B8NRfo4uhW/y/wdgKkMNCm1vSn4OnasCGnDO0FTn9Fn5tJpXFI/zJf6/PPPENgta62Qle8WR4RU9H+OWlrxzP42R2AW4f0KYnjJ/e6spe/+CR7tXfiHHzjwKVOE6W5cc2cazeNZTspCXtsAtT3t+uatZbrjDejuluuZSLa6/ugVbvGyPwr2R7SKtJOMZbEYoIIOmtGy6fXlTnyHXFWr3gSCmhOC6C91IT+MA0izYzjjR+h1tYNgM3y+3D+HIaPCjmE7cV368qOfjCjHVavtd5t1aIBNgGaGVBL+m/s2kzCpAb8fS1Krdga6UyrV2Grc2HjLABdP+lEJj2y2aPne1AyuybCV+LBF83qjLh/gMQ5CN9HJpNEkRAal8M8/YYyBkWSGX/1f9EV7RuPA87RcDJFbduzf7MsY5u+T4kJ2ajz/jPSGTBSr+5AT7pWJpX+vwwN35ICQL25e8mADXcTbccrci0bZes48agwV3dMEMib3AjpSzfyjYnCymCYdKhzKnTeW8jIHIN0tOImU7or60JPalYYy6NMb2YMGEjWRmrXZvG/qOJNPMKiWt6nvrO67Y3OfGwlrb4yS0Nk40qR0kw/F/5M0di0W8oO/+Fr8gGBWxvYH4N5vgfG8QE1xM6khbIt3vxyrq3R9RWjtHhari9IMuJ35prVp6Tas57VKXdpULVFyXO0pQJEQXLTAl0SAdninU2Db1xJnl0N0pwPibkhrWusb/hq+4aXm83mXC+nJZQBRCfPWxddYDyH66xXsg7Atc2EV8XZGiLKisSrmYxvQeHPYIdMJgUKqV+at2vFmQgElzbOnt2/eezlGm17N/17xcDR9JBajL/kiJ0g6oCqjRA3N2AXpJr5rSTmlnNop3qtrjqLkdnhwLRAbp+Wcwy1v5ElkQkdlpS+S2W81odaEpfHDS8IkMh/zViIzCby8mqDhNv2jKeVumXSJxQ3aPBfNgkb25VciH986r49IT9lzA7MVcJ2iakbMq2S+VG45fEp67wOFuZCs0aeKrFkQnkvguVXIHYT7hmM9+mvp1sbrDKcCK9QqHnq//CkSC0NTcU44NB2R6OLfXYuN3ZcMJLBUI8IMtlbkVOrqYJCWzjiKlCTWKxSu1vl9TX/neQuw7aM32jaQ9MnyU2PQPAlbvU10UvSY8eCg6TYk1RL9KWVRHwIWrxKyzuFRq7a1Px1dR9cVeb1CP9oS7T9r5x1KOfZksOcH4hE4uZcm5W2VuFCmU5N/qV+PUR/93lvrHpUSOKucOjUc6aA+DsYLWWoU/FbE5ompJ5z1qGZaceq5ewluZJp07NnayULlyfh7TcBOE6mwS3n1LFdhUPhqAv4mOfxPE/qO8DShOH9DyJK0Txl87qaJw1BCdsurGPl56R9fMiUBugPpLmOYnbIYr2KLSJipuUhVJVJoRu8ZMrI9+CXn3UvrK40KpAkw+DioWRUMNwwoWMalw4rQpuIVR5KrA+HFA2h7LB4S9gF+lEUXRckcI0vH078SxeZvIb9HWnDXY9eBGH6JtpkbAqOmSL9W/jQ1jneiVnb2RHTLvzD0QYutW0pgbuv1bf6CKbDVwLjaMyzg1Y2KRbibHpeBmE5tgNiZJU39mcQBcgg9BzwVDbbmWshx+yEMzRbkzn5D8eGdWLjlrYod5IPJYzFJ2Xib8b+wOeyb425/IALFllugssbIptmZxCIh1wRJlI5FTv7RqBGPzhE9v2sRjwZcTG45qqxipEpN2MyfDQQAySXB4Wn4Hv8khTJwKCWnFcQ10nqcbl9occ/JFGhmKXB/wcsuBZswYLXb4fXDw41drqFihJoJkOI2a1yQvC4bjZt+L6irbxXBtqzAtGDzXkFoP6SocqeU5QMSHr8V6CY9uTM1d3TGgS7pfMlD1m7FqmNUHbFA0tM+vue0EFtEwo=,iv:nIG2yH87Nni9T6pIULBT3UjE84fo7qcXKh1HMaNN8wM=,tag:cxicrx6v1c6ggtKG8wGzOw==,type:str]
|
||||
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:vkVGrB0KqjCGU9Mmqo4F9ClzVz48kRCJF/SWXUChnrH6iILBKKd8qpiCdh2r44Goufy5eau0fYh93DO9/81PkXzW6TpTKIhS6L0FxQ0V4Ur4QOkxTUAyuyepSrWCBfH4KCo0WmaGJUQPKT+rvyy4AysG0cEKIb9CZjYx0C21M97q3PGMOa643QrWa4VLJf9v1sOgv0pBUElfPWzUsKdslD9unJPtFtYjGJx7Nz5MPNuFfNqS3U4kaAgmDn5cYNfFYc0su8DVtQSED19KN3NNcMfW0ON5dWvkvqFRbd8UsL//bWQrCP8EsQAipr+I8CTEbOzMw0XmGAMglAB/fCf+wf+W2txXTHPLzlipweNKealy0lQsw7+RRcx4/ON8lcMm52zpf7H3VtEwn6RxCKOrmF6M9MnBxZEYYvramCxA7KJ1xrKxmwwPoikxRnRYJN52shXjt34+3ykaYapuFYV5tnMM17vhtpCSRaEWoKzTVGR7Pb1sEn0yBMuXADEhjVOFTHEPWpEUX28ukA26Zn4xVrMiL9gGK9z1Nemiw65oLY54xmdVelIM1djsKfqenODzCqmlbq950GZWUBT4LaQFtkMuRJK9Y2U+jI0JCA6SVlGSylKSWbaLlzKU97xf6HMKz8wvw+aPJX6PDasY9C6JDRy7O9VTZL5UKcbUAtw6q7sp8TVPbssMlct1oM4YP2RYNKo6mZE7NGfL+IIa6H+hk2o7ULW+H6B4oz0i1F2HFScLRYhxCgl5iQtxX4oWpqn1Yag/1WmsJUL8tM1wE7MfX7T4Aa3eQzWEfjJ+CgTj0glaWoKl04myFSA5/howv8jE0xYd+eCBvftiMCX81tqvBSxbE1qXZiOnqYB4vsJZbaJzXojTzV9rL72cYviCGSk4xklJoD+ycikyn/iNZ4hET3nzrDZolFA/2WCFbFtjpGPXndoiflSOOhvPb56w1bs9/af3p79GWrm0uOMkMo4IsQRuTgFhBETmA3VdVKCGMswmC5lHB9aZ6JYuQINxufKSo+hw5cnF3qstGG0b+AjCdmEK/xaN4tuOeuFPFj6y4EVB+9xPNCbyP3jk046DO2fUnr/sHcB3LYsGZuo2hw/qxua1/LXBJpY/Z86sp/EKHGBRIrBhq+zTXaiuEbUon7xpE0/rcrMZUuz8genyA9GGQsnmhV3ykVSb39rJc5SJ6m5AxaowobEuEYDUGSngSjTuBO/fQMjQAWVdpF6s0vhTodv0oiYR3fARj9xhNrTBcSF3fBHIFYlzqF6sq6Gvjusog1ihkIe05o5OzoHLvf8p7sWQ6MvOaiUnH7bPieUge8ERwmDihoaPgWVgNAEQAZ5FGB5VAQ847KR5oOs7YU0uhn+xXaRdrsxI1YzOJcfBx13+5B4Z+yu8SwBGnvkZPdrBqaizSyRPZuCw7RBPxSbjg4eJaVFdOn8OlzvYxEaTXYopIXo4Bjubaws8QITqAduFg7HS7TWGHDe3HwI6DnlMfcgYrZl1l/FHlSYjdbN8Fr9cHxYNJH5CbLeB2jB4Gw8HzsmSNLXT8fv/aR0RLfNvtScrMg==,iv:TxSEZLotrgoaGfdPndOkluXAazjc49+K+pJ7Vbv9wZw=,tag:1DFBDaEMsTFw+OR9lxu8Rw==,type:str]
|
||||
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:+ccVB/bzqdvL85ub+/Aj8Oo52D46Dbh8nFw6tzbvqa6jGz5Jve5wNNMEToBD77esdqNE77BaO8jOPiwLh15m6dpjIK8Cgq6N3PoQ8OADktYYSFa+GLmBbkXISIXyDZZmp4uUoVMOIv24uLtScWhugB0OksycmlVzj+620C937wd9RIC2bSUwUjRs6nodABt4flLKURkAyTLTt8KtFJzAmeLgLEoTCFpXrVlaxgOZjB6qNs3bJLyXCJyJj6PjQPCOGTE0PT1uNRCketTDyDWKQrIG3v5n1OLssnwfwHZk9Er9PdlexUuKmueWvjrv9ANfSc3rhv9gAHH107p+ji8jtblVF7CLGIXLjRjDpOdQbKply1sD/LQaoKFPZTSWXpXe77j/pjmlnJqZ6kt3N6DZEh2Xo2llR1KUXsU4bxpB8VoGHUPoWFceNgQLt2SO19NKEDg6qJgO+qzAMsUCNFogoXd8fo3jO2BWUraqDdyxK6f1Qr5eICBHKcqr82NOyllRedkLCwNeln2Gda5Z5BwhfcfEcbPQ0L7dmGq0ApuTRc0LX2CLnDqnsMn6Ax/CV1gbYS8XCLk8QA5htyRCAki0uj6G6+b1yDlZqnR6c7FW+FmmpNUBJK+my6Czp4wTW9aEFiZhcA+nAsGK6VGCV3nNvhhcOAGihTUdSBywSHW8fF40+uDrkYcB1f/MkC3VwwK2EWQbupYti6vrlWF8LKd9hapFWLJy/HL540UuWoUSSGLJOsfzCDXDOsDfKQkcx+Of5APQpkeJCirgj5UBYnAA7h3618hUrkTvSK5SflqYL7nSQ2iRdpiCdSm2FlgMiGUusoKYtDtQmfw/KZ1i12nBIW/4gul8SU6MlsHa9nC14NYqE7Gm+rzv/1z0kjLrE+SDEdAT5YNpoYpwjiljBbjhNuaxetHyJk2v53aQnwNTbiEy5XRJ7KvGPyFUJJkMYGa9l2HPPzhhiSMp69SX+hwooYtRLOkO2/76ltgyFPhY5BIShcSA2iKLgg3rVTO4w8JE9VU0F/sgGv76C6ihhRd9zWdQlbcaechcLG2cjdXaa8+/a3JJfTsV/18dzq+SkaPOebGpgjW8V7Fw4Clbxd/ZoADkq3sfV1WKpzvIFoRcXW1rXlFT8u8lyYfxyYTsosEy79pTYLKoiuwQ3xnMGTywP7QZ3aYD17RNCz/YnN1ARFQVldaqyA0C1GG1CSiSl2PKVFI0cd5lFPKIeXhvcct5bcJBEHw3ZBt3u7MzPDiren5ts86BgwMbjdcTcbsVSnE6S7+eYeg1oi/AzscDIi4U/lgNLtPOhHk53fOi6UvMYWieKjQL+JtvGIJ898ZqoAN7Q+/ZLoNepNVIYSqsfkkgS/fFtvvl6YEVJSXkVUxMQ2s4AP7MnW6Dko1L7tzaINl9omK01/Y0oIwdUskXqkTpcBVuvE0hd5qzcEL9UjN9YCyU0kYa+4sgYrvz36+/gohSp/ZMK0M1kJUn2dz5dw2oQNK54pym+8gBHwKfzydXMJmSh9pe7tyrOnoDBevetghd7fBcxHaC3SbfkRC9bDZkve04/dOIhI0y4ECs+fRgNXzVOMy4dfA4n+3Zs2vqPX7dBF0oGqPnvw4W26F5exy+Ks2Js7YjzBEHEyly96p/8ja9oBJahvaNGWGJ/uKj+S8Pr7RcuBSrzUKgCNCPay0pL1xttv8BHkJNiM6hbnH28/w06JnKp8NvBgTX5AgjbKdJUbbAh+ElEaYzi3zqri0EwyFb8/T+F1UWqp3lWgh0ztWL6hU8M3Do/HqsfZGgO1GME0goe+rUqYJtemKi4ObNPmVsnK7xfKMheVxhsdJN1rSbq4ZAiip8ZqvREgA5wMNgb5HmdJKFZOj3FpCrnOxn+/mxPXMaC5lpfdv/oazWvnEMxzpreY10UBSaCrGYWxeZHET+ryj2cOxc2mv+01tdRQXNHEBCQDprOcLpBxrWK28QdFfb2bGpHAZODeBn05CWGMAD/UjAD1FaWFg546NpOC7/2BuP9RzUSKmCGetbK+LEtjGT9G1ljr610uvmI1gfMAvclp2Jnddc590Xzt1+7VUUagBpUpuJyA4Hd3cejumfUz46T20ILs75nQewHC3lJ/K91ZgMzAmy5pi/iUvcX6yVn5T3FQviRLLQOlCGurBt4gGFd7Z6n7DdNQPf1Gw6PUnTWLZVR3jG0x7fCIlsU/A7RR8fc1XB2D6qnGXazMgQJkv/Z7sIkfyOrShuP9k/9iralWQbdup9Wdxxy7yAbrH4GvB7FEc=,iv:aWuvKqvB5IAqtX9eXv8x83edY1a35A52gfSi461dwTE=,tag:8skKS0UvaOZy7KP0ii8fkQ==,type:str]
|
||||
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:i/Eh7Tw2bRmt7RGdl3DgQtW/xWRH734NC34iuzllKcEiCjS8HhiRrMdozEsoo+jd4h395XNw4bUeBIWr66JY0A==,iv:nB3bKa3rm+gONINsKyRRSQkkJWO+JJlb4B9k9o2DpJw=,tag:MesJ3dZYi92Fi+Wwrs8gnQ==,type:str]
|
||||
CLIENT_DB_JSON: ENC[AES256_GCM,data:tEm3OufNzYelKJnZHD4uhnHPAQq3j8uWatdzFBnERYrKHejyQJGbrgzD4JMJAGQp6hNlSst/2uqhaICoXPLzSOkq0iF9V4P1/HRaA1qpbtSJe56wiMzdXb4tvcQ3aSeEmNQsHjnoTmdrNIgMi2/X0YVd3Zu2Ju5gGm8xIBnlBnUdBS1BqFBUoDIPoj/dku6KsdJSKRQw05PMzH4n0jCgqtPgMXPDUFHFwrXv0wsWvk4rpie2LQhIGMxHa161fybmPpXU5VMEiIho0tSXEO69JbmP7jfpOEwJqh3Ti5URTETXxxdzoDX/E3EY1RNtog9WkfsN2Bzxd9BzfylLnf5Qq9EYuABjpSzhNMeWZsMn0ohRTkPlhNo4WHuYVaR2DK7etm+YwLLJr4KQMlZMho6uKXK6UC2wKAVHgg3zULd31ZUIpfKChdfI,iv:+Pbk1dlO8mDWhdyj7bIZKmswtIA0+KsV+6kAAdSQebE=,tag:4jiRZr/HxWMXZ4a8WeIu2A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
|
||||
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
|
||||
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
|
||||
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
|
||||
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
|
||||
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
|
||||
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
|
||||
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
|
||||
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
|
||||
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
|
||||
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
|
||||
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
|
||||
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
|
||||
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
|
||||
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
|
||||
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
|
||||
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-16T14:23:25Z"
|
||||
mac: ENC[AES256_GCM,data:rii6asmLqUJnunn4eTj2ClS9yBjSeoUo1JrcrhQupb+nMIadWdgG0OF9uAkmJTfGSbrGJNhuxUKH6DEzG5DQ9fMv1xdewaxFcHn0xS8W1OypgYOxGpXtChcPfKX2Px8bfijFi59ETnvfIl2mbCqVKeH3ZUOk/yN7FbCVLVwzCy8=,iv:AcyRzDVoCUdUv9q8FqL4AOffWCxEfKXr14goyxI6sKw=,tag:ZOm97QO/rexjoJJWW2G/Eg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
@@ -0,0 +1 @@
|
||||
../../../../secrets/numerique-gouv/oidc2fer/env/outscale-production/secrets.enc.yaml
|
||||
@@ -1,26 +1,172 @@
|
||||
image:
|
||||
repository: lasuite/oidc2fer
|
||||
repository: ghcr.io/proconnect-gouv/oidc2fer
|
||||
pullPolicy: Always
|
||||
tag: "v1.0.1"
|
||||
tag: "v1.0.13"
|
||||
|
||||
satosa:
|
||||
replicas: 2
|
||||
envVars:
|
||||
BASE_URL: https://renater.agentconnect.gouv.fr
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
env:
|
||||
- name: BASE_URL
|
||||
value: https://renater.agentconnect.gouv.fr
|
||||
- name: GUNICORN_CMD_ARGS
|
||||
value: --workers=3
|
||||
|
||||
LOG_LEVEL: info
|
||||
- name: LOG_LEVEL
|
||||
value: INFO
|
||||
- name: LOG_LEVELS
|
||||
value: '{ "satosa.backends.saml2": "DEBUG" }'
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/renater
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml
|
||||
- name: SAML2_DISCOVERY_URL
|
||||
value: https://discovery.renater.fr/agentconnect/
|
||||
- name: SAML2_METADATA_URL
|
||||
value: https://pub.federation.renater.fr/metadata/fer/idps.xml
|
||||
- name: SAML2_ENTITY_ID
|
||||
value: https://renater.agentconnect.gouv.fr/Saml2/proxy_saml2_backend.xml
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
CLIENT_DB_JSON: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
|
||||
- name: STATE_ENCRYPTION_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
- name: SAML2_BACKEND_CERT
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
- name: SAML2_BACKEND_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
- name: OIDC_FRONTEND_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
- name: CLIENT_DB_JSON
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
|
||||
|
||||
OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } }
|
||||
- name: OIDC_DB_URI
|
||||
value: "stateless://:$(STATE_ENCRYPTION_KEY)@localhost"
|
||||
|
||||
# As provided by RENATER
|
||||
- name: SIRET_MAP
|
||||
value: |-
|
||||
{
|
||||
"http://idp.univ-poitiers.fr": "19860856400375",
|
||||
"https://apps.univ-lr.fr/idp/shibboleth": "19170032700015",
|
||||
"https://auth.sso.vet-alfort.fr/saml/metadata": "19940608300014",
|
||||
"https://auth.uttop.fr/saml/metadata": "19650048200019",
|
||||
"https://authentification.inrae.fr/saml/metadata/idp": "18007003901803",
|
||||
"https://federation.ens.psl.eu/idp/shibboleth": "19753459700012",
|
||||
"https://federation.umontpellier.fr/idp/shibboleth": "13002979600013",
|
||||
"https://federation.unimes.fr/idp/shibboleth": "93249157400012",
|
||||
"https://federation.upf.pf/idp/shibboleth": "19987001500013",
|
||||
"https://federation.utbm.fr/idp/shibboleth": "19900356700013",
|
||||
"https://federation3.univ-brest.fr/idp/shibboleth": "94129831700012",
|
||||
"https://idauthproxy.insa-lyon.fr/Saml2IDP/metadata": "19690192000013",
|
||||
"https://ident-shib.ensc-rennes.fr/idp/shibboleth": "19350077400016",
|
||||
"https://identification.univ-toulouse.fr": "13002132200016",
|
||||
"https://identites.ec-lyon.fr/idp/shibboleth": "19690187000010",
|
||||
"https://identites.ensea.fr/idp/shibboleth": "19951376300011",
|
||||
"https://identities.univ-jfc.fr/idp/prod": "19811201300018",
|
||||
"https://idp-genci.renater.fr/idp/shibboleth": "49468697500041",
|
||||
"https://idp-ng.univ-st-etienne.fr/idp/shibboleth": "93850168100010",
|
||||
"https://idp-septa.onisep.fr/idp/shibboleth": "18004302800653",
|
||||
"https://idp-v4.univ-montp3.fr/idp/shibboleth": "93249089900014",
|
||||
"https://idp.bnu.fr/idp/shibboleth": "18004406700015",
|
||||
"https://idp.cirad.fr/idp/shibboleth": "33159627000016",
|
||||
"https://idp.crous-reims.fr/idp/shibboleth": "18510200100327",
|
||||
"https://idp.ec-nantes.fr/idp/shibboleth": "19440100600011",
|
||||
"https://idp.ehesp.fr/idp/shibboleth": "13000362700010",
|
||||
"https://idp.ens-lyon.fr/idp/shibboleth": "13000812100019",
|
||||
"https://idp.ensam.eu/idp/shibboleth": "19753472000010",
|
||||
"https://idp.ensfea.fr/idp/shibboleth": "19310143300012",
|
||||
"https://idp.ensma.fr/idp/shibboleth": "19860073600021",
|
||||
"https://idp.ent.dauphine.fr/idp/shibboleth": "19754692200018",
|
||||
"https://idp.imt-atlantique.fr/idp/shibboleth": "18009202500121",
|
||||
"https://idp.inha.fr/idp/shibboleth": "19754688000018",
|
||||
"https://idp.inp-toulouse.fr/idp/shibboleth": "19311381800127",
|
||||
"https://idp.insa-rennes.fr/idp/shibboleth": "19350097200016",
|
||||
"https://idp.institut-agro.fr/idp": "13002622200013",
|
||||
"https://idp.isae.fr/idp/shibboleth": "13000427800011",
|
||||
"https://idp.lyon.archi.fr/idp/shibboleth": "19690184700018",
|
||||
"https://idp.renater.fr/idp/shibboleth": "18008947600055",
|
||||
"https://idp.rennes.archi.fr/idp/shibboleth": "19350089900029",
|
||||
"https://idp.sciencespo-lyon.fr/idp/shibboleth": "19690173000024",
|
||||
"https://idp.sciencespobordeaux.fr/idp/shibboleth": "19330192600039",
|
||||
"https://idp.uca.fr/idp/shibboleth": "13002806100013",
|
||||
"https://idp.uha.fr/idp/shibboleth": "19681166500013",
|
||||
"https://idp.unistra.fr/idp/shibboleth": "13000545700010",
|
||||
"https://idp.univ-avignon.fr/idp/shibboleth": "19840685200204",
|
||||
"https://idp.univ-cotedazur.fr/idp/shibboleth": "13002566100013",
|
||||
"https://idp.univ-eiffel.fr/idp/shibboleth": "13002612300013",
|
||||
"https://idp.univ-lemans.fr/idp/shibboleth": "19720916600010",
|
||||
"https://idp.univ-lille.fr/idp/shibboleth": "13002975400012",
|
||||
"https://idp.univ-lyon2.fr/idp/shibboleth": "19691775100014",
|
||||
"https://idp.univ-lyon3.fr/idp/shibboleth": "19692437700282",
|
||||
"https://idp.univ-orleans.fr/idp/shibboleth": "19450855200016",
|
||||
"https://idp.univ-perp.fr/idp/shibboleth": "19660437500010",
|
||||
"https://idp.univ-tln.fr/idp/shibboleth": "19830766200017",
|
||||
"https://idp.univ-tlse3.fr/idp/shibboleth": "93827139200012",
|
||||
"https://idp.univ-tours.fr/idp/shibboleth": "19370800500478",
|
||||
"https://idp.universite-paris-saclay.fr/idp": "13002602400054",
|
||||
"https://idp1.agroparistech.fr/idp/shibboleth": "13000285000134",
|
||||
"https://idp1.ens-paris-saclay.fr/idp/shibboleth": "19940607500036",
|
||||
"https://idp1.univ-fcomte.fr/idp/shibboleth": "93810656400017",
|
||||
"https://idp2.amue.fr/idp/shibboleth": "18004312700091",
|
||||
"https://idp2.brgm.fr/idp/shibboleth": "58205614900120",
|
||||
"https://idp2.emse.fr/idp/shibboleth": "18009202500105",
|
||||
"https://idp2.univ-paris8.fr/idp/shibboleth": "19931827000014",
|
||||
"https://idp3.univ-lorraine.fr/idp/shibboleth": "13001550600012",
|
||||
"https://idp3.ut-capitole.fr/idp/shibboleth": "13003061200019",
|
||||
"https://idp4.unicaen.fr/idp/shibboleth": "19141408500016",
|
||||
"https://idpv3.univ-amu.fr/idp/shibboleth": "13001533200013",
|
||||
"https://janus.cnrs.fr/idp": "18008901303720",
|
||||
"https://multipass.imt-nord-europe.fr/idp/shibboleth": "18009202500139",
|
||||
"https://papangue.vetagro-sup.fr/idp/shibboleth": "13000858400018",
|
||||
"https://prod-idp.inria.fr": "18008904700013",
|
||||
"https://ruhnu.univ-tlse2.fr/idp/shibboleth": "19311383400017",
|
||||
"https://shib.mines-albi.fr/idp/shibboleth": "18009202500097",
|
||||
"https://shib.univ-lehavre.fr/idp/shibboleth": "19762762300097",
|
||||
"https://identite.univ-reims.fr/idp/shibboleth": "19511296600799",
|
||||
"https://shib2.unc.nc/idp/shibboleth": "13000322100012",
|
||||
"https://shibboleth.ens2m.fr/idp/shibboleth": "19250082500026",
|
||||
"https://shibboleth.grenoble-inp.fr/idp/shibboleth": "19381912500017",
|
||||
"https://shibboleth.insa-rouen.fr/idp/shibboleth": "19760165100023",
|
||||
"https://shibboleth.ube.fr/idp/shibboleth": "93823061200013",
|
||||
"https://shibboleth.univ-corse.fr/idp/shibboleth": "19202664900264",
|
||||
"https://shibboleth.univ-evry.fr/idp/shibboleth": "19911975100014",
|
||||
"https://shibboleth.univ-grenoble-alpes.fr/idp/shibboleth": "13002608100013",
|
||||
"https://shibboleth.univ-savoie.fr/idp/shibboleth": "19730858800015",
|
||||
"https://shibboleth03.chartes.psl.eu/idp/shibboleth": "19753478700043",
|
||||
"https://shibboleth3.utt.fr/idp/shibboleth": "19101060200032",
|
||||
"https://srv-fii.insa-toulouse.fr/idp/shibboleth": "19310152400018",
|
||||
"https://sso-ciation-saclay.centralesupelec.fr/idp/shibboleth": "13002076100016",
|
||||
"https://sso.bordeaux-inp.fr/idp/shibboleth": "13000635600013",
|
||||
"https://sso.ird.fr/idp/shibboleth": "18000602500159",
|
||||
"https://upnidp2.parisnanterre.fr/idp/shibboleth": "19921204400010",
|
||||
"https://vip.espci.fr/saml2/idp/metadata.php": "20000068500012",
|
||||
"urn:mace:cru.fr:federation:uhb.fr": "19350937900015",
|
||||
"urn:mace:cru.fr:federation:unilim.fr": "19870669900321",
|
||||
"urn:mace:cru.fr:federation:univ-nantes.fr": "13002974700016",
|
||||
"urn:mace:cru.fr:federation:univ-paris1.fr": "19751717000019",
|
||||
"urn:mace:cru.fr:federation:univ-rennes1.fr": "13003051300019",
|
||||
"urn:mace:cru.fr:federation:univ-rouen.fr": "19761904200017",
|
||||
"urn:mace:cru.fr:federation:univ-ubs.fr": "19561718800600",
|
||||
"https://idp.marseille.archi.fr/idp/shibboleth": "19130236300020",
|
||||
"https://idp.inalco.fr/idp/shibboleth": "19753488600092",
|
||||
"https://idp.sigma-clermont.fr/idp/shibboleth": "13002191800011",
|
||||
"https://idp.univ-artois.fr/idp/shibboleth": "19624401600016",
|
||||
"https://idp2.ensai.fr/idp/shibboleth": "13001422800055",
|
||||
"urn:mace:cru.fr:federation:univ-lyon1.fr": "19691774400019",
|
||||
"https://idp.enitab.fr/idp/shibboleth": "19330203100011",
|
||||
"https://idp.oca.eu/idp/shibboleth": "19061563300012",
|
||||
"https://idp.univ-paris13.fr/idp/shibboleth": "19931238000017",
|
||||
"https://idp.ens-rennes.fr/idp/shibboleth": "13001848400019",
|
||||
"https://idp.uphf.fr/idp/shibboleth": "13002574500014",
|
||||
"https://idp.college-de-france.fr/idp/shibboleth": "19753480300014",
|
||||
"https://shibboleth.csi.uvsq.fr/idp/shibboleth": "19781944400013",
|
||||
"https://idp.esaip.org/idp/shibboleth": "37920438100014",
|
||||
"https://idp.eskn.fr/idp/shibboleth": "13002617200010",
|
||||
"https://auth.centrale-marseille.fr/idp/shibboleth": "19133340000015",
|
||||
"https://idp-insa-cvl.renater.fr/idp/shibboleth": "13001833600011",
|
||||
"https://shibboleth3.obspm.fr/idp/shibboleth": "19753496900013",
|
||||
"https://idp-ecole-air.renater.fr/idp/shibboleth": "13002454000010",
|
||||
"https://idp.enpc.fr/saml/metadata": "19753501600020",
|
||||
"https://idp.paris-malaquais.archi.fr/idp/shibboleth": "18009221500011",
|
||||
"https://idp.univ-pau.fr/idp/shibboleth": "19640251500270",
|
||||
"https://idp4.cereq.fr/idp/shibboleth": "18004303600037",
|
||||
"urn:mace:cru.fr:federation:univ-angers.fr": "19490970100303"
|
||||
}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:uVs1uGoFfESz0eAkxvPUkSXQw6cCvzi+YfH7pbXLxAXxYhmiKf25JarZX2ur8au3pdOd/rz0mZGpC2mfN8Fh+3+a0hseuvhqTetiFlc7Gc84HTXnyUQFzZa4Rgk6LeKGB8TDLG+s0F46u75KrRdHrwSbthBQhtiZCmoc+JcqSKJfl9Kv9OVMXEPHUy3zYvIy32Gk/+BEt+J9eo3RT1ZmmyRZToWWgXe906n2Bhvm8q05OgHkbCqu29TGKBviwikWTa36aUWNVdWh6XW7CtOPjWDvjYbVgb3O/Vwmw3mPRGviuAK1WS+kzMyP5oYQsWC5F97R0XlhnKElxpIRycCz3m/YLShuM1xtStiiR4mym6mNi99YonQ6hbodHSij9R/udXyMLeC5QZM15XzWHGFA+NemqVMGZ2C/xIhHCNUscKvHzOiQ2RiTk9VxNZfSdkzEXe2gMbl/+o3hSj8usFJOZWgToiYN+oBXgP1KqRlwdPSysCB3hs6mysn/1WlILWXN+EOYJP1jLsv1T4dC3ajujmnmhCn3/EYVI4TKEM6nJNs2KxNqlsC2D4G2n8NDciZVUt5a82tXWW6/ROA5UZDFOILkCHvfk6nkTRZjcXWmtPmCgwy54TysJ1wLsIycAsd8MuBTD3d9SpYFHKNC74O30bJe8GqtKObvHg8Ycp36+oH3gs41Mv5H32DumkUF6FcMJtbOEOYoEiHtuMSVXzuIdr6ikYQsRBU4v0UUpJTdMl2W+tYB8NeWBdI4jYaR+xwLw4+gs/deXhE7USTlPZJDB6a4DValxm+p7dLmUr5McgdhyEAACmxzhiSl33ccV2dIQCMsk4RoBXCZGX10ElY9bMk0vLaB5/n6qQgP51onxOUeJ6poKj4wneIZ7WmvbBfAVFUHoCPMQemjEEk6jVza4la4yQUW9rCgo/Tpfb7e05A+ux0CvNKvhcJLfyxN+LwDOw5X4p80gdVO8aWKyE+Ue6GPQBMZ8Ma31jlX//4KeIVcjpZAdutp38vJ936Ezrowu0HbviC1f0pJWXBVw0G8DGtpgorYhkN3Biwzu30jMEcWJXFSPqBGH0U2I5D4IXsDX1rH3DAR5UOKMVbWJ72zUq99Uip0FiaY1IVZLvfkfbPHwVq3jmuiZ/nXn1HenmNlkYOmOtL5BnZ47gHgXiMgFx6YGMBY50pZvk8ISKcacP52N9ph3EkovJR3Uam4XrtbMV0v9AGHX9aXYF1uB37q+ifZ4KB0b91dbXIUxXMb7FrbZ/iDX56+yTzdxdnXHWsmcBtPNFHxo+QjZvk4+UWlvoahwLJMGlxtgk71TPF65ms8y4L5Qq1vL2BgGiKWARWmq7KnrmrXQQWRZAXQd0lfqhVo7GDhppJUKBgYSQ4rC0q6u2mEm9YJc/3vsudKkwTyoYfBOmmz2+xI8fdaFuzg9UWswG3n61HMFYVf8+WAmoS7Bo21ns+KiIOroGruYdExr5rJOPcsLiPEr/Qmk0M=,iv:VI5LR7U20u6jG2voQgbnKcXclbWnROASzoYYz9N8Qlc=,tag:r1hGWOZRaiBblWvntcdYzg==,type:str]
|
||||
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:svNEf0i2AB0fQlJlwJ4tkST7R0GGArPGw7iVGA4pRYedphZrRkeTVUoI3e/Ku5fTv2IXBK4NU5NB9OvFL8VaX1hN3xxWcW6htcOzSGPklee/U4j9fSnUvZzCHtCz1sYgCoQCPcQObfLA2S2H+CMekJpy53djxfjbZdo6+A+T1Lcqk/aJkl8IO0+LgfK2vlp7X5hR4BLS+fdVOrogqzlIrr7iumvSBTS8RY0dp87iLGcWmKCYLrvSieyneiC1VgYughl6LxcPLBTPSJFZBt0NLR3oUMcumBaRpvrlLxPihJbqyC4Jn+We0IKBMYmLCEBBLjx+J4EFLHaG6p3+SyUmLYNJMeOvvexR/qTaiuwUp/3gsD8PrwxFVn7Z3jeL5gX0ohCQyETNuLpAw47yNAlHZaZ11FcFpRUINZrPBG/myJk4i40UQ+AmWBPgS/SxmQj91hoUPw23VDTGWLKv/B5Xd48A3hEOKeA7PmGOfCfd7d9eOJP42dcqWyUypogELAJgF+Leci4q6T99fnIGlBahJK8yDltc4NU4kEAsACdIBZBK+Ezyu+n1hOtg9BEDOUeilSy1TAgfi/B9CQrFLU9cSo1qFPHxIkaRPV3IVuGfEaxNpVrv68RaicYCfeUWIcQ3h13ftPIQlZ6rNukC1pDugV4GrPTtapokV/Z8/8QU0BcRAmfDIniBlk+uP2ga8YDJ4c1FDl6KYQt2zyzFQACOoVPOm/VvffGzOl042iO0ibHAklZerFgbjsiUCpBcRi4dOFqMt6OkvdTldFYGOm+FADtVdJaRoUk8uXe13GCUASjJUCrMOmimEb6gKNYbm2u27kWBIlPMNmLlelVkEpmPCmAl2yLXiJhdxBu0YgHyqwqizKOumckoYditFDXkK52ZtANqwLaHNtGV+aB5dvxRlN5NhsUYr9zLmgv4bUkYL2lI5p5IFN0Lha0fDG105FbIoqmuKXxWJ7IL7MisQLW5DGzN29gWH/uh3A00b3jiEn/0HvEh+P/38t20/IP/l65Z7OZAf2VA1jpCv04lKPXYmvMbcXIROhWcA1yqJvdgiNIh8eWWt/1mFzjRHQ1vfiW5XEn1Yoln6Q++Q5RgnlraizuZWDGeKvP/b5+B15lgdx7keG5rmSpn8ogJD7Cey6epsVY84Qbqpvcp5i5EcL/cMs9NkN2Yf6EGKhczILOAwH2YypWnttIz8OrftjqPzbAP/XOXLFxNbFBlyzLlYwTcjNUIZtg9OwK3k0zDKeHT+q6xSMFdyf3Xpdoh+NJD1QYzoSzosWj/Yzxg9bZVVpKOb89fkGRpNtCuHEkprr0LJUCaPSArANE+MH7E6uisBVvIQwF9MzTf6apHoyUIi0Oq0dRpryvD/OBf0V0Zn75uitpoSqEZf+i8+L3s7dsFp1lEwywUZuZPxmk8kOIyPGNG6KmuFOr0j/6jPO4/05dIvYb/f/sSCjQo3E99whPx5Of9tmlU4eCM4Fwzpgu/w4uKy4f27W4LYosfpENHGRbaWI2XFmmNL1J6Lm6h1yZ+3ck0391zBZA0pp0tNIR5AEc5UBn8GQHrmk9NW2QLMqQLPmhgAD6unHeJY9iYMoCAMqc14c6gjF7gjBCrZd58qBTcNHw3p0GJXACgCm/OGqhRYFuWF0kJUugnTK9n1wfy3/HNE/adBnOqJWEkoP4n/VVL+eucECBtOX0jPFHmPsMYMSdwupCB32G7I36dQPYQsjbD+Sg9StAQxbXUIALRQ1cMaeHpUNSc48sE8ElrjZStNf46oWs+rDjhleWdOlpfsOJ+qwJrLLXFqBMeFtgXpzL4NnRoEGjFFK5l7EtfGDK0/ytPPmOwarjEDftaLmDTfBniZrt/WuuChe7MHbKRcGFkBYA2nbbBfMcpnsGBXpEMQl8LYZR9Sg8hMT0rFYtXj+h0ceCIfsa1HdV43NR/oos7Nf32rjLAu/jVUMNwWOKew5+Du61gmhBVpVNtvTe8+31dYMoQGQrIbxnHQmT1fu8LB0Am45+Zghk8sc0d+81xEzYxvYXMR/QMbwJnWGGI4e7XSUMA5k9xKXXNDeYNCP/e9BGhl9sS0XYX0HSrjX6rsVI5K1QRjT+CBiIqlS7q6bofZ8tsiYhRSh7pgYgvodsPKezrZCTTY4/Xyg9iLMtqtpqMnfqmbaYvwJ6r5LbWeR89tkjmlHcWcue/85Y2D/1COiGFRODIityykTTjacGj/MlYXPE3O20Lr1P1YP2lm22i9kM5jKuCiGbyMn8ZuFVQ30Hnwv2qH4k=,iv:itJR8JpZRrwhbQY/kTEURY28vyu1qex7GsRme9icZYw=,tag:JgkJOE+bdK19KjvdH/k1Ug==,type:str]
|
||||
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:8I/blGdvSDc+Hy96s4OsULJTo9+qyF+8Z4mxA/S11kLQjhue9sRTp/2Q0Db/gw0fMibb8gwrRi4oH4BsHfXaNxtyPCxrgwmeCpaq0rvgrOn+czEDQGErf7QxHnzvsOMBqMygRWKk3aKLjZTNvfMeaQL9KSrtEgePrfUvykSIPwN4HwtNH9Tymq6xopAhgk9jWq5kzomCu6u4OCxz9Fp1GgTdj/gLplMWYeTyWZQFRPimZoBfoxhbih9qofw4uqmN8+iT/Fj9EOAUMsdYeI9i2GKoT/YRso8yipi8760teUwqoDntTVv2ExR4zDvhI5Z9jISyX3qAXls/bwmwAWSb+JIxPAwgbsMDwmPTHItG3Xr2NPkiBVWujMhg7duq+labguwUZelpqQnvnKbxWHm1+NGRS+VYpPQRvzRREh02ybDt7/yjQMSAhWOkDXzZf6WNQfEf5jguz3B6CA6PGAwz9gZX7JivP1O5ontaeULbF373VsOQPmn57qZirk39Ntg7S9tkt2voxilSBMkhDsSXC3Qa9veGnd+t+Jg/YCEamoJEJ85EBfPzgvr2s6Av9D8B2h/gruXCQVCm/Zr9BX8Lus8JmSohTeZUFVteabmxr4W0gwPJgb5Ki0HciKxGsE7ITA5SFFN4LdxsBHlvJ0aJ1pipYfkkpI3YdC45CI22b2gDNIqVamK8hpYn8bTP3jLWsO36M/wnDB6oKsFiTTb4HxNuWVzIshQG8Ua0xwuhizuvZRDuRPUe+gfaiy0Dqzo/RLX1C92TJ7tYzlpM5/u0n7YkY5+/IB2ljnmAC5Kj5z+kNxhTflX/8Z62WTPBZlzE+kJb9hgMQQ8t7jDk6RnpmrUhOKx7rzrFzI/qmXC9+8yHEhiCBI5Wn3R89uCwV0O6WAhIuG9zQiaSiCwDaS3DHCy4PgcUBdbh5tddJ6aazmM9xBZFcevy06gWKmdjbkg3sacjCpTTdnIT4hwxdISTRWtuyYj+pp1d/rs5426yadftPI21OQ1F062nSTKtyViP8PFxzppbCzpSUK5oDdL7wCX2+y8071GJqNipLw+hUS/1z9x7GvEs0Fy5ZOefoHShO/vS6CfXUYoPNpq9ZiAoXvLCRSfY8HEqfOF45hFJLJsVhaKXOe1t4mfHJxrl88NKZXRC3nvSdoqwP9MTdNuvTf86Gn4n+zd3qT07ARqjq4hlV3L69xBxAK/QFrxHagSWOE4Z/tHvYYEiohbn/F6J4k30uv5KnR5P2OpXGRiS5eNXzXdfW+DptBHttmJKtzxD4JJbWRP6kFaUZiCLQLyhZTWoPHmFSTphkxZ2MkqCx13eFTHA927/zehAYCU/miJ1JLATMYaD3mHWifEKRipfG406cF1Y11w27Of3fmhAhqO/7LeZX1a39NXKHW6sIk1Rz0mEaFT8tpBUUxdR1FVaj//MUc7QsvzaxT1O8JletttC8wlWx1mePS1IU49O0DyYcZn4BW8vVJFDz24N7ARb+WcajmsopZScgNwO6XqvDaH/j8mH/0eWCFzIMfW0+pUoCrrmAtoHQ/Z2Dx1j1Yhddxkae1dwoyWGFDqLJyjJ9Hq7Xpx9jQOGGP0mQ2TOw1zwNCzfnWV3MTXmLLwSMc4/ZpOxSqsmI9RlMPE8LeU+ee/jhINYntD/q0zykcoSLj07SfwnYBZPfZcnxNyc94fyrX6GYGfXIAmPR2/pryRtPyXLR3WK9SbL/8rGN50mO42QlvXK0azWRe6gMT4yHZP6V6d5Vqrte1tfhUf/DYuUC0on6qHW5TDrWw7QBdiUQeip4YhW42vgU2WjjNiPZF332uExy0pypO6cZTnsR/jCUZxFMd/IVKWyhAeJt/Wx1Jli1c1SNTigH7LCrSLyrsA2tmufRAcGXRzG2C0mjwofWb7zR1IGCZ0yoVPSt7HNpOY5WoBLpsbhXBodyYTmrSprxXu4cg/n/G8jbAo/xW0AriJolA5k6F9/DWD/tDnIawhwW4AqqeWDk1MmNoGOf/OMplDdwrpkmclVidIcNnaCML8iuKiPx4g+8mdOdkc/mqIP8zaSInRV1/IrIGGSGRwSfQ4wyRFGqC8fYckympShVAGbetOLXn5dd7S3MGlh6n/rgUecqYySs9ckN2Ti0F1g/2CMI5g1Tn4fF2dwOk/iKFLvsSt5Y/vLMTfjK7W+FSg8ImtLs/Jfbn0rrlMVjoBXB2e/yajmu7r+xneP0OeRja+oA1gGExodDmUa4zV6QEU8IFSMLdnqMtShDdRs/XT1YAHbrlS4swg=,iv:EJEMIEsraig+i+5PlieAwHS6XV5bP+wlxv6Wni/9Dws=,tag:DM1XLnEtTp0vFEjAD4u4ag==,type:str]
|
||||
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:U0BoVcDN6/sNDST8epqmOzs5oWok6lRZ+hLo7O6/Mkz0cqB4rcHe/OOC9HTe39K5WUCD25Rfrb4lSeK0Finl9A==,iv:NM9Wjlx/llNc7Ws8DaNYy9dVq/oFEdlK5a/Alr5ZxVA=,tag:VT8GhiFxeI8AjdcKdRkEcQ==,type:str]
|
||||
CLIENT_DB_JSON: ENC[AES256_GCM,data:C1UpicWcfmngdnBqGBMujt8aUZ+WpmvGs652NgR3gvN+aeQ1mMFWAjjCza5q9jN2sIhMbmu/NPrcTvLx4UNE0MOIclrWWbPdxk2UyylU+7TEas6V7OrpJa1e5D8msSSAnPLI7YSrRILSrw6pktnM/07d7S8Q1fkLGxJYkRboTGbTSRGRSSMDFdyrdrGiTDnc3H0y7FQerzQ8caRgRvb1JW8OPpJ+Kpk3jfTyFCNwiyJnISb48QCQPQX2jg9GpXl6OaPg2bw5OnnM1hi/qL+43nR/wV1WnvH/Z+Quvwgj7RorpS1TWVeLIC6zo8o49XFg6aHoiKigma3U/8ZeccsxpYHdsqObQ/mrSyYS87YNHXbl5miwjevaBGIj4Vteg16Vgs6R4jd8qgan+zCCfu5OwGmmCFG4M6EnuWhvQ5YpDGjclBc+q5exSnrb2hVOsEpYB2iRpcd5KNexrhCBJQZVMWRtAhnGIsupImctHaFVcZsvDBUQ3tQ+glt8s59VNZlnXPGE7hnB4L60PxMUJVhL6p8pbQtNvm6fCUBORoU+FCXnfGoK70Cxc/O6THvIcMH8L12rM0XEe/QyJIqRrBUtQcXgTZo3cB+tLVKW/MwKMyCk4s41McyEjL420pFh8cJ19iHWw5vZ4pZ4lkdtyaf3OI5eIVrnKj6uU96/daJSTOJCUgdyj/Vve//4m+UN7qkbnbahPRt5MZIY6P6P/Qs0JeV1tUnhe4vU,iv:WWpqoOZaXwIt1uziAdxgYDNSqR0XG0n/QexgIRItbm0=,tag:gzhESbDbnySTMMoJQiQl/g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
|
||||
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
|
||||
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
|
||||
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
|
||||
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
|
||||
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
|
||||
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
|
||||
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
|
||||
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
|
||||
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
|
||||
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
|
||||
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
|
||||
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
|
||||
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
|
||||
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
|
||||
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
|
||||
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-22T15:46:36Z"
|
||||
mac: ENC[AES256_GCM,data:Nc8rhWtwyXedqESemEusiy2yeqtDbjlep0PAbQ7UW2+jdZZE/uOW1I7LvqTNOKwPwMwFgT0+PyuxOzcSrYtH24A/QSEA2P5kH9S7VXaAZmrWYANTI1pMzqaMGYdP2KQlgK3SqBPmJlG8OHYAHpYpFMIUduWiYCdgEZCfzGbzsfg=,iv:2so40E91bgVh2AL5D6Ju1CXP1Bd31kN95/86/Oinkg0=,tag:rHy//0ddChLA/dIN4P0EhA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
+1
@@ -0,0 +1 @@
|
||||
../../../../secrets/numerique-gouv/oidc2fer/env/staging/secrets.enc.yaml
|
||||
@@ -1,31 +1,52 @@
|
||||
image:
|
||||
repository: lasuite/oidc2fer
|
||||
repository: ghcr.io/proconnect-gouv/oidc2fer
|
||||
pullPolicy: Always
|
||||
tag: "main"
|
||||
tag: "latest"
|
||||
|
||||
satosa:
|
||||
replicas: 2
|
||||
envVars:
|
||||
BASE_URL: https://oidc2fer-staging.beta.numerique.gouv.fr
|
||||
GUNICORN_CMD_ARGS: --workers=3
|
||||
env:
|
||||
- name: BASE_URL
|
||||
value: https://oidc2fer-staging.beta.numerique.gouv.fr
|
||||
- name: GUNICORN_CMD_ARGS
|
||||
value: --workers=3
|
||||
|
||||
LOG_LEVEL: debug
|
||||
- name: LOG_LEVEL
|
||||
value: DEBUG
|
||||
- name: LOG_LEVELS
|
||||
value: '{ "satosa.backends.saml2": "DEBUG" }'
|
||||
|
||||
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
|
||||
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
|
||||
- name: SAML2_DISCOVERY_URL
|
||||
value: https://discovery.renater.fr/test/
|
||||
- name: SAML2_METADATA_URL
|
||||
value: https://pub.federation.renater.fr/metadata/test/idps.xml
|
||||
- name: SAML2_ENTITY_ID
|
||||
value: https://oidc2fer-staging.beta.numerique.gouv.fr/Saml2/proxy_saml2_backend.xml-test
|
||||
|
||||
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
SAML2_BACKEND_KEY: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
OIDC_FRONTEND_KEY: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
CLIENT_DB_JSON: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
|
||||
- name: STATE_ENCRYPTION_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
|
||||
- name: SAML2_BACKEND_CERT
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
|
||||
- name: SAML2_BACKEND_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_KEY } }
|
||||
- name: OIDC_FRONTEND_KEY
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: OIDC_FRONTEND_KEY } }
|
||||
- name: CLIENT_DB_JSON
|
||||
valueFrom: { secretKeyRef: { name: oidc2fer, key: CLIENT_DB_JSON } }
|
||||
|
||||
OIDC_DB_URI: { secretKeyRef: { name: redis.redis.libre.sh, key: url } }
|
||||
- name: OIDC_DB_URI
|
||||
value: "stateless://:$(STATE_ENCRYPTION_KEY)@localhost"
|
||||
|
||||
- name: SIRET_MAP
|
||||
value: |-
|
||||
{
|
||||
"https://test-idp.federation.renater.fr/idp/shibboleth": "12345678200010"
|
||||
}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
host: oidc2fer-staging.beta.numerique.gouv.fr
|
||||
className: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
apiVersion: v2
|
||||
name: extra
|
||||
description: A Helm chart to add some manifests to oidc2fer
|
||||
type: application
|
||||
version: 0.1.0
|
||||
@@ -1,7 +0,0 @@
|
||||
apiVersion: core.libre.sh/v1alpha1
|
||||
kind: Redis
|
||||
metadata:
|
||||
name: redis
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
spec:
|
||||
disableAuth: false
|
||||
@@ -1,35 +1,3 @@
|
||||
repositories:
|
||||
- name: bitnami
|
||||
url: registry-1.docker.io/bitnamicharts
|
||||
oci: true
|
||||
|
||||
releases:
|
||||
- name: redis
|
||||
installed: {{ eq .Environment.Name "dev" | toYaml }}
|
||||
namespace: {{ .Namespace }}
|
||||
chart: bitnami/redis
|
||||
version: 18.19.2
|
||||
values:
|
||||
- auth:
|
||||
password: pass
|
||||
architecture: standalone
|
||||
|
||||
- name: extra
|
||||
installed: {{ ne .Environment.Name "dev" | toYaml }}
|
||||
namespace: {{ .Namespace }}
|
||||
chart: ./extra
|
||||
secrets:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
|
||||
- name: oidc2fer
|
||||
version: {{ .Values.version }}
|
||||
namespace: {{ .Namespace }}
|
||||
chart: ./oidc2fer
|
||||
values:
|
||||
- env.d/{{ .Environment.Name }}/values.oidc2fer.yaml.gotmpl
|
||||
secrets:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
|
||||
environments:
|
||||
dev:
|
||||
values:
|
||||
@@ -46,4 +14,26 @@ environments:
|
||||
- version: 0.0.1
|
||||
secrets:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
---
|
||||
repositories:
|
||||
- name: bitnami
|
||||
url: registry-1.docker.io/bitnamicharts
|
||||
oci: true
|
||||
|
||||
releases:
|
||||
- name: oidc2fer
|
||||
version: {{ .Values.version }}
|
||||
namespace: {{ .Namespace }}
|
||||
chart: ./oidc2fer
|
||||
values:
|
||||
- env.d/{{ .Environment.Name }}/values.oidc2fer.yaml.gotmpl
|
||||
secrets:
|
||||
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
|
||||
|
||||
- name: oidc-test-client
|
||||
installed: {{ eq .Environment.Name "dev" }}
|
||||
version: {{ .Values.version }}
|
||||
namespace: {{ .Namespace }}
|
||||
chart: ./oidc-test-client
|
||||
values:
|
||||
- env.d/{{ .Environment.Name }}/values.oidc-test-client.yaml.gotmpl
|
||||
@@ -0,0 +1,24 @@
|
||||
apiVersion: v2
|
||||
name: oidc-test-client
|
||||
description: Test OIDC client
|
||||
|
||||
# A chart can be either an 'application' or a 'library' chart.
|
||||
#
|
||||
# Application charts are a collection of templates that can be packaged into versioned archives
|
||||
# to be deployed.
|
||||
#
|
||||
# Library charts provide useful utilities or functions for the chart developer. They're included as
|
||||
# a dependency of application charts to inject those utilities and functions into the rendering
|
||||
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
|
||||
type: application
|
||||
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.0
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
# follow Semantic Versioning. They should reflect the version the application is using.
|
||||
# It is recommended to use it with quotes.
|
||||
appVersion: "1.0.0"
|
||||
@@ -0,0 +1,51 @@
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "oidc-test-client.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "oidc-test-client.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "oidc-test-client.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "oidc-test-client.labels" -}}
|
||||
helm.sh/chart: {{ include "oidc-test-client.chart" . }}
|
||||
{{ include "oidc-test-client.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "oidc-test-client.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "oidc-test-client.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,71 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "oidc-test-client.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "oidc-test-client.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "oidc-test-client.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "oidc-test-client.labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.service.port }}
|
||||
protocol: TCP
|
||||
{{ with .Values.livenessProbe }}
|
||||
livenessProbe: {{ toJson . }}
|
||||
{{- end }}
|
||||
{{ with .Values.readinessProbe }}
|
||||
readinessProbe: {{ toJson . }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- with .Values.env }}
|
||||
env:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- sh
|
||||
- -ec
|
||||
- |-
|
||||
printenv EXTRA_ROOT_CA >> $(python -m certifi)
|
||||
exec python app.py
|
||||
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,38 @@
|
||||
{{- if .Values.ingress.enabled -}}
|
||||
{{- $fullName := include "oidc-test-client.fullname" . -}}
|
||||
{{- $svcPort := .Values.service.port -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "oidc-test-client.labels" . | nindent 4 }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
ingressClassName: {{ .Values.ingress.className }}
|
||||
{{- if .Values.ingress.tls.enabled }}
|
||||
tls:
|
||||
{{- if .Values.ingress.host }}
|
||||
- secretName: {{ $fullName }}-tls
|
||||
hosts:
|
||||
- {{ .Values.ingress.host | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- if .Values.ingress.host }}
|
||||
- host: {{ .Values.ingress.host | quote }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $svcPort }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "oidc-test-client.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "oidc-test-client.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
targetPort: http
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
{{- include "oidc-test-client.selectorLabels" . | nindent 4 }}
|
||||
@@ -0,0 +1,71 @@
|
||||
# Default values for oidc-test-client.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
image:
|
||||
repository: oidc-test-client
|
||||
pullPolicy: Always
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: ""
|
||||
|
||||
imagePullSecrets: []
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 5000
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
className: ""
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts: []
|
||||
tls:
|
||||
enabled: true
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: http
|
||||
periodSeconds: 30
|
||||
|
||||
readinessProbe: null
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
||||
env: []
|
||||
@@ -50,46 +50,6 @@ app.kubernetes.io/name: {{ include "oidc2fer.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
transform dictionnary of environment variables
|
||||
Usage : {{ include "oidc2fer.env.transformDict" .Values.envVars }}
|
||||
|
||||
Example:
|
||||
envVars:
|
||||
# Using simple strings as env vars
|
||||
ENV_VAR_NAME: "envVar value"
|
||||
# Using a value from a configMap
|
||||
ENV_VAR_FROM_CM:
|
||||
configMapKeyRef:
|
||||
name: cm-name
|
||||
key: "key_in_cm"
|
||||
# Using a value from a secret
|
||||
ENV_VAR_FROM_SECRET:
|
||||
secretKeyRef:
|
||||
name: secret-name
|
||||
key: "key_in_secret"
|
||||
*/}}
|
||||
{{- define "oidc2fer.env.transformDict" -}}
|
||||
{{- range $key, $value := . }}
|
||||
- name: {{ $key | quote }}
|
||||
{{- if $value | kindIs "map" }}
|
||||
valueFrom: {{ $value | toYaml | nindent 4 }}
|
||||
{{- else }}
|
||||
value: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
oidc2fer env vars
|
||||
*/}}
|
||||
{{- define "oidc2fer.common.env" -}}
|
||||
{{- $topLevelScope := index . 0 -}}
|
||||
{{- $workerScope := index . 1 -}}
|
||||
{{- include "oidc2fer.env.transformDict" $workerScope.envVars -}}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
{{- if .Values.ingress.enabled -}}
|
||||
{{- $fullName := include "oidc2fer.fullname" . -}}
|
||||
{{- $port := .Values.satosa.service.port -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
@@ -33,13 +34,15 @@ spec:
|
||||
- host: {{ .Values.ingress.host | quote }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
{{- range .Values.ingress.paths }}
|
||||
- path: {{ .path | quote }}
|
||||
pathType: {{ .pathType }}
|
||||
backend:
|
||||
service:
|
||||
name: {{ include "oidc2fer.satosa.fullname" . }}
|
||||
name: {{ $fullName }}-satosa
|
||||
port:
|
||||
number: {{ .Values.satosa.service.port }}
|
||||
number: {{ $port }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingress.customBackends }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
{{- $envVars := include "oidc2fer.common.env" (list . .Values.satosa) -}}
|
||||
{{- $fullName := include "oidc2fer.satosa.fullname" . -}}
|
||||
{{- $component := "satosa" -}}
|
||||
apiVersion: apps/v1
|
||||
@@ -42,10 +41,9 @@ spec:
|
||||
args:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if $envVars}}
|
||||
{{- $envVars | indent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.satosa.env }}
|
||||
env: {{ toJson . }}
|
||||
{{- end }}
|
||||
{{- with .Values.satosa.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
@@ -82,3 +80,16 @@ spec:
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ if .Values.satosa.pdb.enabled }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
spec:
|
||||
maxUnavailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "oidc2fer.common.selectorLabels" (list . $component) | nindent 6 }}
|
||||
{{ end }}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
{{- $envVars := include "oidc2fer.common.env" (list . .Values.satosa) -}}
|
||||
{{- $fullName := include "oidc2fer.satosa.fullname" . -}}
|
||||
{{- $component := "satosa" -}}
|
||||
apiVersion: v1
|
||||
|
||||
@@ -21,10 +21,6 @@ image:
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
## @skip commonEnvVars
|
||||
commonEnvVars: &commonEnvVars
|
||||
<<: []
|
||||
|
||||
## @param ingress.enabled whether to enable the Ingress or not
|
||||
## @param ingress.className IngressClass to use for the Ingress
|
||||
## @param ingress.host Host for the Ingress
|
||||
@@ -33,7 +29,9 @@ ingress:
|
||||
enabled: false
|
||||
className: null
|
||||
host: oidc2fer.example.com
|
||||
path: /
|
||||
paths:
|
||||
- path: '/$|^/\.well-known/openid-configuration$|^/images/|^/Saml2/|^/OIDC/|^/ping$'
|
||||
pathType: ImplementationSpecific # enables regex matching
|
||||
## @param ingress.hosts Additional host to configure for the Ingress
|
||||
hosts: []
|
||||
# - chart-example.local
|
||||
@@ -48,10 +46,17 @@ ingress:
|
||||
## @param ingress.customBackends Add custom backends to ingress
|
||||
customBackends: []
|
||||
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/use-regex: "true"
|
||||
|
||||
## @section satosa
|
||||
|
||||
satosa:
|
||||
|
||||
## @param satosa.pdb.enabled Enable pdb on backend
|
||||
pdb:
|
||||
enabled: true
|
||||
|
||||
## @param satosa.command Override the satosa container command
|
||||
command: []
|
||||
|
||||
@@ -70,15 +75,8 @@ satosa:
|
||||
## @param satosa.securityContext Configure satosa Pod security context
|
||||
securityContext: null
|
||||
|
||||
## @param satosa.envVars Configure satosa container environment variables
|
||||
## @extra satosa.envVars.BY_VALUE Example environment variable by setting value directly
|
||||
## @extra satosa.envVars.FROM_CONFIGMAP.configMapKeyRef.name Name of a ConfigMap when configuring env vars from a ConfigMap
|
||||
## @extra satosa.envVars.FROM_CONFIGMAP.configMapKeyRef.key Key within a ConfigMap when configuring env vars from a ConfigMap
|
||||
## @extra satosa.envVars.FROM_SECRET.secretKeyRef.name Name of a Secret when configuring env vars from a Secret
|
||||
## @extra satosa.envVars.FROM_SECRET.secretKeyRef.key Key within a Secret when configuring env vars from a Secret
|
||||
## @skip satosa.envVars
|
||||
envVars:
|
||||
<<: *commonEnvVars
|
||||
## @param satosa.env Configure satosa container environment variables
|
||||
env: []
|
||||
|
||||
## @param satosa.podAnnotations Annotations to add to the satosa Pod
|
||||
podAnnotations: {}
|
||||
|
||||
@@ -67,7 +67,8 @@ disable=bad-inline-option,
|
||||
useless-suppression,
|
||||
missing-module-docstring,
|
||||
missing-class-docstring,
|
||||
missing-function-docstring
|
||||
missing-function-docstring,
|
||||
wrong-import-order
|
||||
|
||||
# Enable the message, report, category or checker with the given id(s). You can
|
||||
# either give multiple identifier separated by comma (,) or put this option
|
||||
|
||||
@@ -22,9 +22,15 @@ attributes:
|
||||
acr:
|
||||
openid:
|
||||
- acr
|
||||
eppn:
|
||||
eduPersonPrincipalName:
|
||||
saml:
|
||||
- eduPersonPrincipalName
|
||||
eduPersonAffiliation:
|
||||
saml:
|
||||
- eduPersonAffiliation
|
||||
uid:
|
||||
openid:
|
||||
- uid
|
||||
siret:
|
||||
openid:
|
||||
- siret
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
from .entity_id_to_siret_mapper import EntityIdToSiretMapper
|
||||
@@ -0,0 +1,23 @@
|
||||
import json
|
||||
import logging
|
||||
|
||||
from satosa.micro_services.base import ResponseMicroService
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class EntityIdToSiretMapper(ResponseMicroService):
|
||||
def __init__(self, config, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
self.attribute = config.get("attribute", "siret")
|
||||
self.mapping = json.loads(config.get("mapping_json", "{}"))
|
||||
|
||||
def process(self, context, data):
|
||||
entity_id = data.auth_info.issuer
|
||||
if entity_id in self.mapping:
|
||||
siret = self.mapping[entity_id]
|
||||
logger.info("Mapping entity ID %s to SIRET %s", entity_id, siret)
|
||||
data.attributes[self.attribute] = siret
|
||||
else:
|
||||
logger.warning("No SIRET mapping found for entity ID %s", entity_id)
|
||||
return super().process(context, data)
|
||||
@@ -0,0 +1,9 @@
|
||||
import os
|
||||
|
||||
from satosa.wsgi import app as satosa_app
|
||||
from whitenoise import WhiteNoise
|
||||
|
||||
# Wrap the SATOSA WSGI app in WhiteNoise to serve static files
|
||||
app = WhiteNoise(
|
||||
satosa_app, root=os.path.join(os.curdir, "static"), index_file="index.html"
|
||||
)
|
||||
@@ -3,11 +3,11 @@ name: Saml2
|
||||
config:
|
||||
disco_srv: !ENV SAML2_DISCOVERY_URL
|
||||
entityid_endpoint: true
|
||||
mirror_force_authn: 'no'
|
||||
memorize_idp: 'no'
|
||||
use_memorized_idp_when_force_authn: 'no'
|
||||
send_requester_id: 'no'
|
||||
enable_metadata_reload: 'no'
|
||||
mirror_force_authn: false
|
||||
memorize_idp: false
|
||||
use_memorized_idp_when_force_authn: false
|
||||
send_requester_id: false
|
||||
enable_metadata_reload: false
|
||||
acs_selection_strategy: prefer_matching_host
|
||||
sp_config:
|
||||
name: Passerelle OIDC vers FER
|
||||
@@ -23,7 +23,7 @@ config:
|
||||
# - url: https://mdq.federation.renater.fr
|
||||
remote:
|
||||
- url: !ENV SAML2_METADATA_URL
|
||||
entityid: <base_url>/<name>/proxy_saml2_backend.xml
|
||||
entityid: !ENV SAML2_ENTITY_ID
|
||||
accepted_time_diff: 60
|
||||
allow_unknown_attributes: true
|
||||
service:
|
||||
@@ -38,6 +38,7 @@ config:
|
||||
height: '200'
|
||||
authn_requests_signed: true
|
||||
want_response_signed: true
|
||||
signing_algorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
|
||||
allow_unsolicited: true
|
||||
name_id_format:
|
||||
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
||||
|
||||
@@ -43,6 +43,7 @@ config:
|
||||
- uid
|
||||
- given_name
|
||||
- usual_name
|
||||
- siret
|
||||
|
||||
# Set code/token lifetimes as short as possible
|
||||
authorization_code_lifetime: 60
|
||||
@@ -56,8 +57,5 @@ config:
|
||||
- given_name
|
||||
usual_name:
|
||||
- usual_name
|
||||
extra_id_token_claims:
|
||||
oidc-test-client:
|
||||
- acr
|
||||
agent-connect:
|
||||
- acr
|
||||
siret:
|
||||
- siret
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
|
||||
name: AttributeAuthorization
|
||||
config:
|
||||
force_attributes_presence_on_allow: true
|
||||
attribute_allow:
|
||||
default: # any requester (SP/RP)
|
||||
default: # any issuer (IdP/OP)
|
||||
eduPersonPrincipalName:
|
||||
# The eduPersonPrincipalName value may have been filtered by the
|
||||
# AttributeFilter processor, if it did not match an expected scope
|
||||
# for the IdP.
|
||||
# We require it to be non-empty here, to avoid an unhandled error
|
||||
# later in the PrimaryIdentifier processor.
|
||||
- ".+"
|
||||
eduPersonAffiliation:
|
||||
- "^faculty$"
|
||||
- "^staff$"
|
||||
- "^employee$"
|
||||
- "^researcher$"
|
||||
- "^teacher$"
|
||||
@@ -0,0 +1,12 @@
|
||||
module: satosa.micro_services.attribute_modifications.FilterAttributeValues
|
||||
name: AttributeFilter
|
||||
config:
|
||||
attribute_filters:
|
||||
# default rules for any IdentityProvider
|
||||
"":
|
||||
# default rules for any requester
|
||||
"":
|
||||
eduPersonPrincipalName:
|
||||
# enforce correct scope (the part after '@' must match one
|
||||
# of the scopes declared in the metadata)
|
||||
shibmdscope_match_scope:
|
||||
@@ -7,7 +7,7 @@ config:
|
||||
# names are the internal SATOSA names for the attributes as
|
||||
# defined in internal_attributes.yaml.
|
||||
ordered_identifier_candidates:
|
||||
- attribute_names: [eppn]
|
||||
- attribute_names: [eduPersonPrincipalName]
|
||||
|
||||
# The internal SATOSA attribute into which to place the primary
|
||||
# identifier value once found from the above configured ordered
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
module: oidc2fer.attribute_generators.EntityIdToSiretMapper
|
||||
name: EntityIdToSiretMapper
|
||||
config:
|
||||
attribute: siret
|
||||
mapping_json: !ENV SIRET_MAP
|
||||
@@ -12,9 +12,12 @@ FRONTEND_MODULES:
|
||||
- plugins/frontends/openid_connect_frontend.yaml
|
||||
- plugins/frontends/ping_frontend.yaml
|
||||
MICRO_SERVICES:
|
||||
- plugins/microservices/filter_attributes.yaml
|
||||
- plugins/microservices/attribute_authorization.yaml
|
||||
- plugins/microservices/primary_identifier.yaml
|
||||
- plugins/microservices/static_attributes.yaml
|
||||
- plugins/microservices/attribute_processor.yaml
|
||||
- plugins/microservices/siret_mapping.yaml
|
||||
LOGGING:
|
||||
# All the logging configuration is done in the Gunicorn config, this is just
|
||||
# here to avoid overwriting it with the default SATOSA config
|
||||
|
||||
+16
-18
@@ -11,46 +11,44 @@ version = "0.1.0"
|
||||
authors = [{ "name" = "DINUM", "email" = "dev@mail.numerique.gouv.fr" }]
|
||||
classifiers = [
|
||||
"Development Status :: 5 - Production/Stable",
|
||||
"Intended Audience :: Developers",
|
||||
"Intended Audience :: End Users/Desktop",
|
||||
"Intended Audience :: System Administrators",
|
||||
"License :: OSI Approved :: MIT License",
|
||||
"Natural Language :: English",
|
||||
"Programming Language :: Python :: 3",
|
||||
"Programming Language :: Python :: 3.11",
|
||||
"Programming Language :: Python :: 3.14",
|
||||
]
|
||||
description = "An application to handle contacts and teams."
|
||||
description = "A gateway from RENATER's FER to ProConnect's OIDC provider, built on top of SATOSA."
|
||||
keywords = ["OIDC", "SAML", "Shibboleth", "FER", "RENATER"]
|
||||
license = { file = "LICENSE" }
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.11"
|
||||
requires-python = ">=3.14"
|
||||
dependencies = [
|
||||
"SATOSA==8.4.0",
|
||||
"gunicorn==22.0.0",
|
||||
"redis==5.0.4",
|
||||
"JSON-log-formatter==1.0",
|
||||
"SATOSA==8.5.1",
|
||||
"gunicorn==25.1.0",
|
||||
"JSON-log-formatter==1.1.1",
|
||||
"WhiteNoise==6.12.0",
|
||||
]
|
||||
|
||||
[project.urls]
|
||||
"Bug Tracker" = "https://github.com/numerique-gouv/oidc2fer/issues/new"
|
||||
"Changelog" = "https://github.com/numerique-gouv/oidc2fer/blob/main/CHANGELOG.md"
|
||||
"Homepage" = "https://github.com/numerique-gouv/oidc2fer"
|
||||
"Repository" = "https://github.com/numerique-gouv/oidc2fer"
|
||||
"Bug Tracker" = "https://github.com/proconnect-gouv/oidc2fer/issues/new"
|
||||
"Changelog" = "https://github.com/proconnect-gouv/oidc2fer/blob/main/CHANGELOG.md"
|
||||
"Homepage" = "https://github.com/proconnect-gouv/oidc2fer"
|
||||
"Repository" = "https://github.com/proconnect-gouv/oidc2fer"
|
||||
|
||||
[project.optional-dependencies]
|
||||
dev = [
|
||||
"pylint==3.1.0",
|
||||
"pytest-cov==4.1.0",
|
||||
"pytest==8.0.2",
|
||||
"ruff==0.2.2",
|
||||
"pytest-playwright==0.4.4",
|
||||
"pytest==9.0.2",
|
||||
"ruff==0.15.4",
|
||||
"pytest-playwright==0.7.2",
|
||||
]
|
||||
|
||||
[tool.setuptools]
|
||||
packages = { find = { where = ["."], exclude = ["tests"] } }
|
||||
zip-safe = true
|
||||
|
||||
[tool.distutils.bdist_wheel]
|
||||
universal = true
|
||||
|
||||
[tool.ruff]
|
||||
exclude = [
|
||||
".git",
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
#!/usr/bin/env python
|
||||
"""Setup file for the oidc2fer module. All configuration stands in the setup.cfg file."""
|
||||
# coding: utf-8
|
||||
|
||||
from setuptools import setup
|
||||
|
||||
setup()
|
||||
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 13 KiB |
@@ -0,0 +1,9 @@
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="refresh" content="1; url=https://agentconnect.gouv.fr/">
|
||||
</head>
|
||||
<body>
|
||||
<h1>Passerelle ProConnect vers RENATER. Redirection en cours…</h1>
|
||||
</body>
|
||||
</html>
|
||||
@@ -0,0 +1,42 @@
|
||||
import json
|
||||
|
||||
from satosa.context import Context
|
||||
from satosa.internal import AuthenticationInformation, InternalData
|
||||
|
||||
from oidc2fer.attribute_generators import EntityIdToSiretMapper
|
||||
|
||||
|
||||
class TestEntityIdToSiretMapper:
|
||||
def create_mapper(self):
|
||||
mapper = EntityIdToSiretMapper(
|
||||
config={
|
||||
"attribute": "siret",
|
||||
"mapping_json": json.dumps(
|
||||
{
|
||||
"https://idp.example.fr": "12345678200010",
|
||||
}
|
||||
),
|
||||
},
|
||||
name="siret_mapper",
|
||||
base_url="https://satosa.example.com",
|
||||
)
|
||||
mapper.next = lambda ctx, data: data
|
||||
return mapper
|
||||
|
||||
def test_sets_siret_for_known_entityid(self):
|
||||
mapper = self.create_mapper()
|
||||
resp = InternalData(
|
||||
auth_info=AuthenticationInformation(issuer="https://idp.example.fr")
|
||||
)
|
||||
ctx = Context()
|
||||
mapper.process(ctx, resp)
|
||||
assert resp.attributes["siret"] == "12345678200010"
|
||||
|
||||
def test_does_not_set_siret_for_unknown_entityid(self):
|
||||
mapper = self.create_mapper()
|
||||
resp = InternalData(
|
||||
auth_info=AuthenticationInformation(issuer="https://unknown.example.fr")
|
||||
)
|
||||
ctx = Context()
|
||||
mapper.process(ctx, resp)
|
||||
assert "siret" not in resp.attributes
|
||||
+134
-44
@@ -1,8 +1,12 @@
|
||||
import concurrent.futures
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
import time
|
||||
import urllib.request
|
||||
|
||||
import pytest
|
||||
from playwright.sync_api import Browser, BrowserContext, Page, expect
|
||||
from playwright.sync_api import Browser, Page, expect
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
@@ -10,80 +14,166 @@ def browser_context_args():
|
||||
return {"locale": "fr-FR"}
|
||||
|
||||
|
||||
def renater_test_idp(page):
|
||||
page.get_by_label("Nom d'utilisateur").fill("etudiant1")
|
||||
page.get_by_label("Mot de passe").fill("etudiant1")
|
||||
def renater_test_idp(page, login):
|
||||
page.get_by_label("Nom d'utilisateur").fill(login)
|
||||
page.get_by_label("Mot de passe").fill(login)
|
||||
page.get_by_label("Afficher les informations qui vont être transférées").check()
|
||||
page.get_by_role("button", name="Connexion").click()
|
||||
page.get_by_role("button", name="Accepter").click()
|
||||
|
||||
|
||||
def renater_wayf(page):
|
||||
page.get_by_text("Veuillez sélectionner").click()
|
||||
page.get_by_role("searchbox").fill("GIP RENATER - IdP de test")
|
||||
page.get_by_role("option", name="GIP RENATER - IdP de test", exact=True).click()
|
||||
page.get_by_role("button", name="Sélection").click()
|
||||
|
||||
|
||||
def oidc_to_renater(context: BrowserContext):
|
||||
with context.new_page() as page:
|
||||
page.goto("https://oidc-test-client.traefik.me")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page)
|
||||
def oidc_to_renater(
|
||||
page: Page,
|
||||
login="enseignant1",
|
||||
expected_email="georges.grospieds@formation.renater.fr",
|
||||
expected_given_name="Georges",
|
||||
expected_usual_name="Grospieds",
|
||||
):
|
||||
page.goto("https://oidc-test-client.127.0.0.1.nip.io")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login=login)
|
||||
|
||||
expect(page.locator("pre")).to_contain_text('"usual_name":"Dupont"')
|
||||
text = page.inner_text("pre")
|
||||
result = json.loads(text)
|
||||
expect(page.locator("pre")).to_contain_text('"usual_name":')
|
||||
text = page.inner_text("pre")
|
||||
result = json.loads(text)
|
||||
|
||||
id_token = result["access_token_response"]["id_token"]
|
||||
access_token = result["access_token_response"]["access_token"]
|
||||
assert {"acr": "eidas1"}.items() <= id_token.items()
|
||||
userinfo = result["userinfo"]
|
||||
assert {
|
||||
"email": "jean.dupont@formation.renater.fr",
|
||||
"given_name": "Jean",
|
||||
"uid": "etudiant1@test-renater.fr",
|
||||
"usual_name": "Dupont",
|
||||
"sub": f"{login}@test-renater.fr",
|
||||
"uid": f"{login}@test-renater.fr",
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
"siret": "12345678200010",
|
||||
}.items() <= userinfo.items()
|
||||
return id_token
|
||||
return id_token, access_token
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_oidc_to_renater(browser: Browser):
|
||||
id_token1 = oidc_to_renater(browser.new_context())
|
||||
id_token2 = oidc_to_renater(browser.new_context())
|
||||
def test_oidc_to_renater_keeps_sub(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
id_token1, _ = oidc_to_renater(page)
|
||||
with browser.new_context().new_page() as page:
|
||||
id_token2, _ = oidc_to_renater(page)
|
||||
|
||||
assert id_token1["sub"] == id_token2["sub"]
|
||||
|
||||
|
||||
def agent_connect_login(page: Page):
|
||||
page.goto("https://fsa1v2.integ01.dev-agentconnect.fr/")
|
||||
page.get_by_label("Connexion à AgentConnect").click()
|
||||
page.get_by_label("Email professionnel").fill("jean.dupont@formation.renater.fr")
|
||||
page.get_by_test_id("interaction-connection-button").click()
|
||||
@pytest.mark.skipif(
|
||||
"BENCH_E2E" not in os.environ, reason="Benchmark runs only if requested"
|
||||
)
|
||||
def test_benchmark_userinfo(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
_, access_token = oidc_to_renater(page)
|
||||
|
||||
request_count = int(os.environ.get("BENCH_E2E_N", "100"))
|
||||
client_count = int(os.environ.get("BENCH_E2E_P", "2"))
|
||||
start = time.time()
|
||||
|
||||
def agent_connect_to_renater(context: BrowserContext):
|
||||
with context.new_page() as page:
|
||||
agent_connect_login(page)
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page)
|
||||
def make_request():
|
||||
return urllib.request.urlopen(
|
||||
urllib.request.Request(
|
||||
"https://oidc2fer.127.0.0.1.nip.io/OIDC/userinfo",
|
||||
headers={"Authorization": f"Bearer {access_token}"},
|
||||
)
|
||||
)
|
||||
|
||||
expect(page.locator("body")).to_contain_text("jean.dupont@formation.renater.fr")
|
||||
text = page.inner_text("#json")
|
||||
result = json.loads(text)
|
||||
assert {
|
||||
"email": "jean.dupont@formation.renater.fr",
|
||||
"given_name": "Jean",
|
||||
"uid": "etudiant1@test-renater.fr",
|
||||
"usual_name": "Dupont",
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
with concurrent.futures.ThreadPoolExecutor(max_workers=client_count) as executor:
|
||||
futures = []
|
||||
for _ in range(request_count):
|
||||
futures.append(executor.submit(make_request))
|
||||
for future in concurrent.futures.as_completed(futures):
|
||||
with future.result() as resp:
|
||||
assert resp.status == 200
|
||||
end = time.time()
|
||||
logging.info(
|
||||
"Average userinfo request time with %d parallel requests: \
|
||||
%.2f seconds",
|
||||
client_count,
|
||||
(end - start) / request_count,
|
||||
)
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_agent_connect_to_renater(browser: Browser):
|
||||
result1 = agent_connect_to_renater(browser.new_context())
|
||||
result2 = agent_connect_to_renater(browser.new_context())
|
||||
def test_oidc_to_renater_student_not_allowed(page: Page):
|
||||
page.goto("https://oidc-test-client.127.0.0.1.nip.io")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login="etudiant1")
|
||||
|
||||
expect(page.locator("pre")).to_contain_text('"error":"access_denied"')
|
||||
|
||||
|
||||
def pro_connect_login(page: Page, email):
|
||||
page.goto("https://fsa1v2.integ01.dev-agentconnect.fr/")
|
||||
page.get_by_role("button", name="S’identifier avec ProConnect").click()
|
||||
page.get_by_label("Email professionnel").fill(email)
|
||||
page.get_by_test_id("interaction-connection-button").click()
|
||||
|
||||
|
||||
def pro_connect_to_renater(
|
||||
page: Page,
|
||||
login="enseignant1",
|
||||
expected_email="georges.grospieds@formation.renater.fr",
|
||||
expected_given_name="Georges",
|
||||
expected_usual_name="Grospieds",
|
||||
):
|
||||
pro_connect_login(page, email=expected_email)
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login=login)
|
||||
|
||||
expect(page.locator("body")).to_contain_text(expected_email)
|
||||
text = page.inner_text("#userinfo")
|
||||
result = json.loads(text)
|
||||
assert {
|
||||
"uid": f"{login}@test-renater.fr",
|
||||
"email": expected_email,
|
||||
"given_name": expected_given_name,
|
||||
"usual_name": expected_usual_name,
|
||||
"siret": "12345678200010",
|
||||
}.items() <= result.items()
|
||||
return result
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_PC" not in os.environ, reason="Depends on staging deployment"
|
||||
)
|
||||
def test_pro_connect_to_renater_keeps_sub(browser: Browser):
|
||||
with browser.new_context().new_page() as page:
|
||||
result1 = pro_connect_to_renater(page)
|
||||
with browser.new_context().new_page() as page:
|
||||
result2 = pro_connect_to_renater(page)
|
||||
|
||||
assert result1["sub"] == result2["sub"]
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E_PC" not in os.environ, reason="Depends on staging deployment"
|
||||
)
|
||||
def test_pro_connect_to_renater_student_not_allowed(page: Page):
|
||||
pro_connect_login(page, email="jean.dupont@formation.renater.fr")
|
||||
renater_wayf(page)
|
||||
renater_test_idp(page, login="etudiant1")
|
||||
|
||||
expect(page.locator("body")).to_contain_text("access_denied")
|
||||
|
||||
|
||||
@pytest.mark.skipif(
|
||||
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
|
||||
)
|
||||
def test_serve_static_assets(page: Page):
|
||||
page.goto("https://oidc2fer.127.0.0.1.nip.io/images/logo.svg")
|
||||
expect(page.locator("svg")).to_be_visible()
|
||||
|
||||
+14
-5
@@ -26,7 +26,8 @@ fi
|
||||
# https://github.com/kubernetes-sigs/kind/issues/2875
|
||||
# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
|
||||
# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
|
||||
cat <<EOF | kind create cluster --config=-
|
||||
kind --name=oidc2fer delete cluster || true
|
||||
cat <<EOF | kind --name=oidc2fer create cluster --config=-
|
||||
kind: Cluster
|
||||
apiVersion: kind.x-k8s.io/v1alpha4
|
||||
containerdConfigPatches:
|
||||
@@ -35,7 +36,6 @@ containerdConfigPatches:
|
||||
config_path = "/etc/containerd/certs.d"
|
||||
nodes:
|
||||
- role: control-plane
|
||||
image: kindest/node:v1.27.3
|
||||
kubeadmConfigPatches:
|
||||
- |
|
||||
kind: InitConfiguration
|
||||
@@ -50,9 +50,7 @@ nodes:
|
||||
hostPort: 443
|
||||
protocol: TCP
|
||||
- role: worker
|
||||
image: kindest/node:v1.27.3
|
||||
- role: worker
|
||||
image: kindest/node:v1.27.3
|
||||
EOF
|
||||
|
||||
# 3. Add the registry config to the nodes
|
||||
@@ -64,7 +62,7 @@ EOF
|
||||
# We want a consistent name that works from both ends, so we tell containerd to
|
||||
# alias localhost:${reg_port} to the registry container when pulling images
|
||||
REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
|
||||
for node in $(kind get nodes); do
|
||||
for node in $(kind --name=oidc2fer get nodes); do
|
||||
docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
|
||||
cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
|
||||
[host."http://${reg_name}:5000"]
|
||||
@@ -91,6 +89,17 @@ data:
|
||||
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
|
||||
EOF
|
||||
|
||||
# Patch the CoreDNS configmap to rewrite requests for *.127.0.0.1.nip.io to the Ingress Controller service
|
||||
kubectl -n kube-system get configmap coredns -o yaml |
|
||||
yq '.data.Corefile |= (
|
||||
trim
|
||||
| split("\n")
|
||||
| .[-1] = " rewrite name regex .*\\.127\\.0\\.0\\.1\\.nip\\.io ingress-nginx-controller.ingress-nginx.svc.cluster.local answer auto\n"
|
||||
+ .[-1]
|
||||
| join("\n")
|
||||
)' |
|
||||
kubectl replace -f -
|
||||
|
||||
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
|
||||
kubectl -n ingress-nginx create secret tls mkcert --key /tmp/127.0.0.1.nip.io+1-key.pem --cert /tmp/127.0.0.1.nip.io+1.pem
|
||||
kubectl -n ingress-nginx patch deployments.apps ingress-nginx-controller --type 'json' -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--default-ssl-certificate=ingress-nginx/mkcert"}]'
|
||||
|
||||
Reference in New Issue
Block a user