Compare commits

...

16 Commits

Author SHA1 Message Date
Jonathan Perret 17289b1040 v1.0.3 release 2024-09-02 17:09:56 +02:00
Jonathan Perret 0580ec6d7e Merge pull request #14 from numerique-gouv/fix-saml-signature
Upgrade SAML signature algorithm for interoperability with RENATER Access Check
2024-09-02 16:26:07 +02:00
Jonathan Perret 4b5bd5757c 🔒️(saml) set SAML signing algorithm to use SHA256
It turns out the RENATER AccessCheck IdP rejects AuthnRequests signed
with the default SHA1-based SignatureMethod.
2024-08-29 20:34:36 +02:00
Jonathan Perret 61680de401 Deploy 1.0.2 to outscale-production 2024-07-22 20:55:08 +02:00
Jonathan Perret 0fc4450766 v1.0.2 release 2024-07-22 20:52:50 +02:00
Jonathan Perret db99364ae6 Merge pull request #13 from numerique-gouv/check-eppn-scope
🔒️(saml) check the scope of the eduPersonPrincipalName attribute
2024-07-22 20:49:25 +02:00
Jonathan Perret 25c401c653 🔒️(saml) check the scope of the eduPersonPrincipalName attribute
The metadata obtained from the federation server contains a list of
allowed scopes for each of the registered identity providers.

By checking the value of the eduPersonPrincipalName attribute
returned by an IdP against the allowed scopes for that IdP,
we protect the downstream services against identity theft by
a compromised IdP.
2024-07-22 20:35:06 +02:00
Jonathan Perret 311d490566 Merge pull request #10 from numerique-gouv/check-affiliation
Only allow employees to authenticate
2024-07-22 19:45:25 +02:00
Jonathan Perret ba69d2d4bd 📝(changelog) update CHANGELOG
Document new affiliation check.
2024-07-22 19:00:45 +02:00
Jonathan Perret 82fc42d093 🔒️(saml) only allow employees to authenticate
We check the eduPersonAffiliation attribute for a "employee" value to
reject students.
2024-07-22 17:32:20 +02:00
Jonathan Perret 10fc48b9ad (e2e) make renater test idp interaction deterministic
By default the consent form is only shown if the requested claims have
changed since the last login for that user, and this appears to be
stored server-side, which caused the test to break when I added
eduPersonAffiliation to the requested claims.

We now always request the consent form on login so that the interaction
is deterministic.
2024-07-22 16:02:10 +02:00
Jonathan Perret b8fe38853f 🚀(staging) complete switch to test federation
Switches the staging instance to the test federation.
2024-06-19 14:37:08 +02:00
Jonathan Perret e03dddde67 🚀(staging) use test entity ID
Switches the staging instance to the test federation.
2024-06-19 14:33:34 +02:00
Jonathan Perret 15064a0b45 🚀(config) get SAML entity ID from environment
This lets us decouple the entity ID from the deployment URL.
2024-06-19 14:29:50 +02:00
rouja a2d275366c 💚(ci) remove secret from repository (#12)
- Remove *.enc.*
- Add symlinks
- Adapt CI
2024-06-07 17:20:03 +02:00
Jonathan Perret 5c18904e39 🚀(staging) use qualification federation
The RENATER Qualification federation is more similar to the production
federation than the test federation.
2024-06-04 17:05:50 +02:00
23 changed files with 181 additions and 183 deletions
+26 -4
View File
@@ -16,8 +16,19 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "oidc2fer,secrets"
-
name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
@@ -31,7 +42,7 @@ jobs:
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
@@ -55,13 +66,24 @@ jobs:
- build-and-push
steps:
-
name: Checkout
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "oidc2fer,secrets"
-
name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Call argocd github webhook
+5 -5
View File
@@ -16,7 +16,7 @@ jobs:
if: github.event_name == 'pull_request' # Makes sense only for pull requests
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: show
@@ -39,7 +39,7 @@ jobs:
github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check that the CHANGELOG has been modified in the current branch
@@ -49,7 +49,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Check CHANGELOG max line length
run: |
max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L)
@@ -65,7 +65,7 @@ jobs:
working-directory: src/satosa
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v3
with:
@@ -89,7 +89,7 @@ jobs:
working-directory: src/satosa
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v3
with:
-17
View File
@@ -1,17 +0,0 @@
SOPS_PRIVATE=ENC[AES256_GCM,data:k9v8gJJ1ZTDbN8mR9NegKpCC8Kbv9ZqWDx3nhs6YAC6U2gxI0RDg5KRx0juym+5DPEVG4ck8y+ju/4uthRUZd0JkexEJX0WKFTo=,iv:hucEFAC/FTQsE4A+JmuY1PeJJcBRAWUqEul5wplVsJ8=,tag:uCYu26tM4hlheT8bCInA6A==,type:str]
DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:gsq8AIbLENiXfOg=,iv:48QhtPLRq0yWpffQPxmkb1FLOkNQ2vp1/o+fnU6QM/o=,tag:s7ADhOZ314EWMc82kRvK+A==,type:str]
DOCKER_HUB_USER=ENC[AES256_GCM,data:/+bIx0jMNg==,iv:Em3MIFQ8B457gwkRGB0JkRknpEQ1maiqW42gh9/DWDY=,tag:Hc8ZHDludj8up7r0tH2FRw==,type:str]
ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:JHzooEYiqWdH4MjcNT3lL0fxY6YlfyhP6kM0kV6NPBnTtI46ip7nMXZoChkQT7CoPTof3IjMdJaD,iv:/CRQTZhnSi0UxgVd0crnvlVJfStIbYCG3cMTkejW0tU=,tag:p8QAWnwa+M4m9WSQMr7Obw==,type:str]
ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:oQyuVQFPmhLIL14hWK0vUxo+r/QEj8hb2uY6bntlEyNqrFg7NOameWFn+dvCsN+C90HT9wD9yhu9aXsV92cJxDI=,iv:MVeeLpJU4taPqoGvJ8bqh6bfLHntRfqic/kIBPY/WV4=,tag:gJXkjUvSjrGjqPqCw6mRyA==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQy9CUXhYSTVoMnNGZWda\nUUJuYnd4VVM0YW1tRHhIUjNoQnZ3cEc5ZkdFCmg2a3dkcGNVSGFWd2hBa3pVUU5H\nVlMzSHd1VlBBdVZHTXA4S214UkQvSzQKLS0tIDVjTCtHSnJDZ2pOOG5ONW1zbTY1\neHZpRlZqVlhaVkpsR0VwRHBWZ0d4VjQKQUFraK9M2bFItVmQ7l9Z59SY9YkhGzy3\nON3028ZP4Xfvr+8FaQj0xS/5rnHTFIKLmW7bbvvPWeBW/LFvfxaUcw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWnVKM2hwdXdDYXhVUzh0\nSGxrUWNYa25KcWdvRUxWNHl1eU1UdjN3UVNNCkJ2Y3FZblBMWlpUKzE2bW1HZUJF\nZldzKzhrWVhHd0RKN01Ub3JLYkNlZGMKLS0tIEJDTy9OUVNOTVdKQ1Y4eGpqUnIv\neTRTa1UrU3Q1LzVkZWpPaXpsamRXVGcK3PBKBPIVV58HT6UGOovjzgxqlrhDo/S7\nhIye04YRyGNZamnff0gOA0n9wXrcvTyFYiv5o9CFQtfg082j7ii70w==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWndDNDBoMGxuRFhTalJu\nNnZVYXBwTjhsY3BXZmV6ZW1jQkZ2bExIQmowClZCZmU5L3p4SmVXSmV1YnpXT2lm\nSFlpQ0o0cENtYVRvQ05vWE5XTCtNV3MKLS0tIG9oVDIrdElpd01JUEpRK1hmaWZq\ndE4yQks5dkRRbk9ZN2o3UHQxeHhlMXcKXBZxVw/yVb+qM+puQYOqqUHEsNggZ9LX\nkVOelk2UijLUHx9VCoerrJkfI3mUKCsNCvwnrL2bqezHgg+VhPhukw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_2__map_recipient=age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5N1h1OW4wRVh5YkR5TkJ5\nQTlDK2RUSkIzWjJwUnp3b2todm5FVVJPWnlZCjhJc1JZcEQ3KzJYRVBQLytOM3JG\nYUFJdHZDTlN3RXpyZlluWU13c0VET1UKLS0tIGhJZmJZNUx5TWl1YnFJN0RWeEkv\nWjZoZzZiM2lkMlFabXEvMnhaYUdxY1UK3d/SWz3fcij+4W4tq1zRFK+4sCYHTCxS\nEuT/a+St02Eirrg9SW3b52T1RvZriOQAR/VUG09pjjGliaf/oW0pVQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_3__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
sops_lastmodified=2024-04-18T10:38:19Z
sops_mac=ENC[AES256_GCM,data:HGGl4gcXnli8Z7P2P1MspygWRIHJqTLesf/QpiUUC6qH07Qx5bhN5fA1Oo3WTcz+fXkfAY8SV2RZb2CHxo/NouCiATw7vodX1ttwvsUE6RLgdjvMJl4ecWucZMiBdBtpFF4IHrKxswQg1FEdT8U/JP3Gw0TxxaRXIqskXkytp9E=,iv:fPcbne5lDa6+b+DqB+Q2pJ11EB9Vfpvqd9yextCjv7U=,tag:MkVoOpIApCIluFzsazl16w==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1
+3
View File
@@ -0,0 +1,3 @@
[submodule "secrets"]
path = secrets
url = ../secrets
-10
View File
@@ -1,10 +0,0 @@
creation_rules:
# Using a single-key group to be able to use per-key comments,
# see https://github.com/getsops/sops/issues/845#issuecomment-1364109772
- key_groups:
- age:
- age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x # Jacques
- age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e # Jonathan
- age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj # github-repo
- age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw # argocd
+7
View File
@@ -6,6 +6,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
and this project adheres to
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.0.3] - 2024-09-02
- set SAML signing algorithm to use SHA256 for compatibility with AccessCheck
## [1.0.2] - 2024-07-22
- check the scope of returned eduPersonPrincipalNames
- require "employee" value in eduPersonAffiliation
## [1.0.1] - 2024-06-04
- enable JSON logging and LOG_LEVEL environment variable
- add production configuration
+7
View File
@@ -47,6 +47,13 @@ Finally, you can check all available Make rules using:
$ make help
```
## Creating a release
1. Update `CHANGELOG.md` to change the `Unreleased` header to the new version
number and date.
2. Commit and push to `main`.
3. Create a `vX.Y.Z` tag from `main` and push it.
## Contributing
This project is intended to be community-driven, so please, do not hesitate to
+1
View File
@@ -31,6 +31,7 @@ services:
}
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
SAML2_ENTITY_ID: https://satosa.traefik.me/Saml2/proxy_saml2_backend.xml
env_file:
- env.d/development/common
- env.d/development/satosa
+6
View File
@@ -68,6 +68,12 @@ def oidc_callback():
assert aresp["state"] == session["state"]
if "error" in aresp:
return jsonify(
error_response=aresp.to_dict(),
)
code = aresp["code"]
logging.info("got auth code=%s", code)
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
git submodule update --init --recursive
git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'
Submodule
+1
Submodule secrets added at 647b88689c
@@ -13,6 +13,7 @@ satosa:
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
SAML2_ENTITY_ID: https://oidc2fer.127.0.0.1.nip.io/Saml2/proxy_saml2_backend.xml
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
@@ -1,52 +0,0 @@
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:bNRbntCYIa0YLGpvPaxomPz2TvrlUtniv9ehs6hdTSvR0DQqiiNq3f04nGKNvDTHzm3rxF/fvLPQFpEFN651iCvyeolvemzDwUlxxcCtgzcLso3VCLtIjaEFr3mWrcQZdOTSA1LbSNrXnmkKbz26tm66NnSr0GqAuj4M6uq2W14W951DP5DMEAIKdLVpIBLPtuj7LfrO8wHYsa5bQHfEby/SVCV33y6GD7NWQP+Og+z8cW+H1trGrySD54JpPWvC866wVXf5+9W5QTa0YAZfXgACnTeDrUGKHQupa/KnE8HPLN2RYBB0riDXfmTZt7sVBGyjFHFTDxDwhCsVfgl2LSXUurWN3R0KsJz9r/B8NRfo4uhW/y/wdgKkMNCm1vSn4OnasCGnDO0FTn9Fn5tJpXFI/zJf6/PPPENgta62Qle8WR4RU9H+OWlrxzP42R2AW4f0KYnjJ/e6spe/+CR7tXfiHHzjwKVOE6W5cc2cazeNZTspCXtsAtT3t+uatZbrjDejuluuZSLa6/ugVbvGyPwr2R7SKtJOMZbEYoIIOmtGy6fXlTnyHXFWr3gSCmhOC6C91IT+MA0izYzjjR+h1tYNgM3y+3D+HIaPCjmE7cV368qOfjCjHVavtd5t1aIBNgGaGVBL+m/s2kzCpAb8fS1Krdga6UyrV2Grc2HjLABdP+lEJj2y2aPne1AyuybCV+LBF83qjLh/gMQ5CN9HJpNEkRAal8M8/YYyBkWSGX/1f9EV7RuPA87RcDJFbduzf7MsY5u+T4kJ2ajz/jPSGTBSr+5AT7pWJpX+vwwN35ICQL25e8mADXcTbccrci0bZes48agwV3dMEMib3AjpSzfyjYnCymCYdKhzKnTeW8jIHIN0tOImU7or60JPalYYy6NMb2YMGEjWRmrXZvG/qOJNPMKiWt6nvrO67Y3OfGwlrb4yS0Nk40qR0kw/F/5M0di0W8oO/+Fr8gGBWxvYH4N5vgfG8QE1xM6khbIt3vxyrq3R9RWjtHhari9IMuJ35prVp6Tas57VKXdpULVFyXO0pQJEQXLTAl0SAdninU2Db1xJnl0N0pwPibkhrWusb/hq+4aXm83mXC+nJZQBRCfPWxddYDyH66xXsg7Atc2EV8XZGiLKisSrmYxvQeHPYIdMJgUKqV+at2vFmQgElzbOnt2/eezlGm17N/17xcDR9JBajL/kiJ0g6oCqjRA3N2AXpJr5rSTmlnNop3qtrjqLkdnhwLRAbp+Wcwy1v5ElkQkdlpS+S2W81odaEpfHDS8IkMh/zViIzCby8mqDhNv2jKeVumXSJxQ3aPBfNgkb25VciH986r49IT9lzA7MVcJ2iakbMq2S+VG45fEp67wOFuZCs0aeKrFkQnkvguVXIHYT7hmM9+mvp1sbrDKcCK9QqHnq//CkSC0NTcU44NB2R6OLfXYuN3ZcMJLBUI8IMtlbkVOrqYJCWzjiKlCTWKxSu1vl9TX/neQuw7aM32jaQ9MnyU2PQPAlbvU10UvSY8eCg6TYk1RL9KWVRHwIWrxKyzuFRq7a1Px1dR9cVeb1CP9oS7T9r5x1KOfZksOcH4hE4uZcm5W2VuFCmU5N/qV+PUR/93lvrHpUSOKucOjUc6aA+DsYLWWoU/FbE5ompJ5z1qGZaceq5ewluZJp07NnayULlyfh7TcBOE6mwS3n1LFdhUPhqAv4mOfxPE/qO8DShOH9DyJK0Txl87qaJw1BCdsurGPl56R9fMiUBugPpLmOYnbIYr2KLSJipuUhVJVJoRu8ZMrI9+CXn3UvrK40KpAkw+DioWRUMNwwoWMalw4rQpuIVR5KrA+HFA2h7LB4S9gF+lEUXRckcI0vH078SxeZvIb9HWnDXY9eBGH6JtpkbAqOmSL9W/jQ1jneiVnb2RHTLvzD0QYutW0pgbuv1bf6CKbDVwLjaMyzg1Y2KRbibHpeBmE5tgNiZJU39mcQBcgg9BzwVDbbmWshx+yEMzRbkzn5D8eGdWLjlrYod5IPJYzFJ2Xib8b+wOeyb425/IALFllugssbIptmZxCIh1wRJlI5FTv7RqBGPzhE9v2sRjwZcTG45qqxipEpN2MyfDQQAySXB4Wn4Hv8khTJwKCWnFcQ10nqcbl9occ/JFGhmKXB/wcsuBZswYLXb4fXDw41drqFihJoJkOI2a1yQvC4bjZt+L6irbxXBtqzAtGDzXkFoP6SocqeU5QMSHr8V6CY9uTM1d3TGgS7pfMlD1m7FqmNUHbFA0tM+vue0EFtEwo=,iv:nIG2yH87Nni9T6pIULBT3UjE84fo7qcXKh1HMaNN8wM=,tag:cxicrx6v1c6ggtKG8wGzOw==,type:str]
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:vkVGrB0KqjCGU9Mmqo4F9ClzVz48kRCJF/SWXUChnrH6iILBKKd8qpiCdh2r44Goufy5eau0fYh93DO9/81PkXzW6TpTKIhS6L0FxQ0V4Ur4QOkxTUAyuyepSrWCBfH4KCo0WmaGJUQPKT+rvyy4AysG0cEKIb9CZjYx0C21M97q3PGMOa643QrWa4VLJf9v1sOgv0pBUElfPWzUsKdslD9unJPtFtYjGJx7Nz5MPNuFfNqS3U4kaAgmDn5cYNfFYc0su8DVtQSED19KN3NNcMfW0ON5dWvkvqFRbd8UsL//bWQrCP8EsQAipr+I8CTEbOzMw0XmGAMglAB/fCf+wf+W2txXTHPLzlipweNKealy0lQsw7+RRcx4/ON8lcMm52zpf7H3VtEwn6RxCKOrmF6M9MnBxZEYYvramCxA7KJ1xrKxmwwPoikxRnRYJN52shXjt34+3ykaYapuFYV5tnMM17vhtpCSRaEWoKzTVGR7Pb1sEn0yBMuXADEhjVOFTHEPWpEUX28ukA26Zn4xVrMiL9gGK9z1Nemiw65oLY54xmdVelIM1djsKfqenODzCqmlbq950GZWUBT4LaQFtkMuRJK9Y2U+jI0JCA6SVlGSylKSWbaLlzKU97xf6HMKz8wvw+aPJX6PDasY9C6JDRy7O9VTZL5UKcbUAtw6q7sp8TVPbssMlct1oM4YP2RYNKo6mZE7NGfL+IIa6H+hk2o7ULW+H6B4oz0i1F2HFScLRYhxCgl5iQtxX4oWpqn1Yag/1WmsJUL8tM1wE7MfX7T4Aa3eQzWEfjJ+CgTj0glaWoKl04myFSA5/howv8jE0xYd+eCBvftiMCX81tqvBSxbE1qXZiOnqYB4vsJZbaJzXojTzV9rL72cYviCGSk4xklJoD+ycikyn/iNZ4hET3nzrDZolFA/2WCFbFtjpGPXndoiflSOOhvPb56w1bs9/af3p79GWrm0uOMkMo4IsQRuTgFhBETmA3VdVKCGMswmC5lHB9aZ6JYuQINxufKSo+hw5cnF3qstGG0b+AjCdmEK/xaN4tuOeuFPFj6y4EVB+9xPNCbyP3jk046DO2fUnr/sHcB3LYsGZuo2hw/qxua1/LXBJpY/Z86sp/EKHGBRIrBhq+zTXaiuEbUon7xpE0/rcrMZUuz8genyA9GGQsnmhV3ykVSb39rJc5SJ6m5AxaowobEuEYDUGSngSjTuBO/fQMjQAWVdpF6s0vhTodv0oiYR3fARj9xhNrTBcSF3fBHIFYlzqF6sq6Gvjusog1ihkIe05o5OzoHLvf8p7sWQ6MvOaiUnH7bPieUge8ERwmDihoaPgWVgNAEQAZ5FGB5VAQ847KR5oOs7YU0uhn+xXaRdrsxI1YzOJcfBx13+5B4Z+yu8SwBGnvkZPdrBqaizSyRPZuCw7RBPxSbjg4eJaVFdOn8OlzvYxEaTXYopIXo4Bjubaws8QITqAduFg7HS7TWGHDe3HwI6DnlMfcgYrZl1l/FHlSYjdbN8Fr9cHxYNJH5CbLeB2jB4Gw8HzsmSNLXT8fv/aR0RLfNvtScrMg==,iv:TxSEZLotrgoaGfdPndOkluXAazjc49+K+pJ7Vbv9wZw=,tag:1DFBDaEMsTFw+OR9lxu8Rw==,type:str]
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:+ccVB/bzqdvL85ub+/Aj8Oo52D46Dbh8nFw6tzbvqa6jGz5Jve5wNNMEToBD77esdqNE77BaO8jOPiwLh15m6dpjIK8Cgq6N3PoQ8OADktYYSFa+GLmBbkXISIXyDZZmp4uUoVMOIv24uLtScWhugB0OksycmlVzj+620C937wd9RIC2bSUwUjRs6nodABt4flLKURkAyTLTt8KtFJzAmeLgLEoTCFpXrVlaxgOZjB6qNs3bJLyXCJyJj6PjQPCOGTE0PT1uNRCketTDyDWKQrIG3v5n1OLssnwfwHZk9Er9PdlexUuKmueWvjrv9ANfSc3rhv9gAHH107p+ji8jtblVF7CLGIXLjRjDpOdQbKply1sD/LQaoKFPZTSWXpXe77j/pjmlnJqZ6kt3N6DZEh2Xo2llR1KUXsU4bxpB8VoGHUPoWFceNgQLt2SO19NKEDg6qJgO+qzAMsUCNFogoXd8fo3jO2BWUraqDdyxK6f1Qr5eICBHKcqr82NOyllRedkLCwNeln2Gda5Z5BwhfcfEcbPQ0L7dmGq0ApuTRc0LX2CLnDqnsMn6Ax/CV1gbYS8XCLk8QA5htyRCAki0uj6G6+b1yDlZqnR6c7FW+FmmpNUBJK+my6Czp4wTW9aEFiZhcA+nAsGK6VGCV3nNvhhcOAGihTUdSBywSHW8fF40+uDrkYcB1f/MkC3VwwK2EWQbupYti6vrlWF8LKd9hapFWLJy/HL540UuWoUSSGLJOsfzCDXDOsDfKQkcx+Of5APQpkeJCirgj5UBYnAA7h3618hUrkTvSK5SflqYL7nSQ2iRdpiCdSm2FlgMiGUusoKYtDtQmfw/KZ1i12nBIW/4gul8SU6MlsHa9nC14NYqE7Gm+rzv/1z0kjLrE+SDEdAT5YNpoYpwjiljBbjhNuaxetHyJk2v53aQnwNTbiEy5XRJ7KvGPyFUJJkMYGa9l2HPPzhhiSMp69SX+hwooYtRLOkO2/76ltgyFPhY5BIShcSA2iKLgg3rVTO4w8JE9VU0F/sgGv76C6ihhRd9zWdQlbcaechcLG2cjdXaa8+/a3JJfTsV/18dzq+SkaPOebGpgjW8V7Fw4Clbxd/ZoADkq3sfV1WKpzvIFoRcXW1rXlFT8u8lyYfxyYTsosEy79pTYLKoiuwQ3xnMGTywP7QZ3aYD17RNCz/YnN1ARFQVldaqyA0C1GG1CSiSl2PKVFI0cd5lFPKIeXhvcct5bcJBEHw3ZBt3u7MzPDiren5ts86BgwMbjdcTcbsVSnE6S7+eYeg1oi/AzscDIi4U/lgNLtPOhHk53fOi6UvMYWieKjQL+JtvGIJ898ZqoAN7Q+/ZLoNepNVIYSqsfkkgS/fFtvvl6YEVJSXkVUxMQ2s4AP7MnW6Dko1L7tzaINl9omK01/Y0oIwdUskXqkTpcBVuvE0hd5qzcEL9UjN9YCyU0kYa+4sgYrvz36+/gohSp/ZMK0M1kJUn2dz5dw2oQNK54pym+8gBHwKfzydXMJmSh9pe7tyrOnoDBevetghd7fBcxHaC3SbfkRC9bDZkve04/dOIhI0y4ECs+fRgNXzVOMy4dfA4n+3Zs2vqPX7dBF0oGqPnvw4W26F5exy+Ks2Js7YjzBEHEyly96p/8ja9oBJahvaNGWGJ/uKj+S8Pr7RcuBSrzUKgCNCPay0pL1xttv8BHkJNiM6hbnH28/w06JnKp8NvBgTX5AgjbKdJUbbAh+ElEaYzi3zqri0EwyFb8/T+F1UWqp3lWgh0ztWL6hU8M3Do/HqsfZGgO1GME0goe+rUqYJtemKi4ObNPmVsnK7xfKMheVxhsdJN1rSbq4ZAiip8ZqvREgA5wMNgb5HmdJKFZOj3FpCrnOxn+/mxPXMaC5lpfdv/oazWvnEMxzpreY10UBSaCrGYWxeZHET+ryj2cOxc2mv+01tdRQXNHEBCQDprOcLpBxrWK28QdFfb2bGpHAZODeBn05CWGMAD/UjAD1FaWFg546NpOC7/2BuP9RzUSKmCGetbK+LEtjGT9G1ljr610uvmI1gfMAvclp2Jnddc590Xzt1+7VUUagBpUpuJyA4Hd3cejumfUz46T20ILs75nQewHC3lJ/K91ZgMzAmy5pi/iUvcX6yVn5T3FQviRLLQOlCGurBt4gGFd7Z6n7DdNQPf1Gw6PUnTWLZVR3jG0x7fCIlsU/A7RR8fc1XB2D6qnGXazMgQJkv/Z7sIkfyOrShuP9k/9iralWQbdup9Wdxxy7yAbrH4GvB7FEc=,iv:aWuvKqvB5IAqtX9eXv8x83edY1a35A52gfSi461dwTE=,tag:8skKS0UvaOZy7KP0ii8fkQ==,type:str]
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:i/Eh7Tw2bRmt7RGdl3DgQtW/xWRH734NC34iuzllKcEiCjS8HhiRrMdozEsoo+jd4h395XNw4bUeBIWr66JY0A==,iv:nB3bKa3rm+gONINsKyRRSQkkJWO+JJlb4B9k9o2DpJw=,tag:MesJ3dZYi92Fi+Wwrs8gnQ==,type:str]
CLIENT_DB_JSON: ENC[AES256_GCM,data:tEm3OufNzYelKJnZHD4uhnHPAQq3j8uWatdzFBnERYrKHejyQJGbrgzD4JMJAGQp6hNlSst/2uqhaICoXPLzSOkq0iF9V4P1/HRaA1qpbtSJe56wiMzdXb4tvcQ3aSeEmNQsHjnoTmdrNIgMi2/X0YVd3Zu2Ju5gGm8xIBnlBnUdBS1BqFBUoDIPoj/dku6KsdJSKRQw05PMzH4n0jCgqtPgMXPDUFHFwrXv0wsWvk4rpie2LQhIGMxHa161fybmPpXU5VMEiIho0tSXEO69JbmP7jfpOEwJqh3Ti5URTETXxxdzoDX/E3EY1RNtog9WkfsN2Bzxd9BzfylLnf5Qq9EYuABjpSzhNMeWZsMn0ohRTkPlhNo4WHuYVaR2DK7etm+YwLLJr4KQMlZMho6uKXK6UC2wKAVHgg3zULd31ZUIpfKChdfI,iv:+Pbk1dlO8mDWhdyj7bIZKmswtIA0+KsV+6kAAdSQebE=,tag:4jiRZr/HxWMXZ4a8WeIu2A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-16T14:23:25Z"
mac: ENC[AES256_GCM,data:rii6asmLqUJnunn4eTj2ClS9yBjSeoUo1JrcrhQupb+nMIadWdgG0OF9uAkmJTfGSbrGJNhuxUKH6DEzG5DQ9fMv1xdewaxFcHn0xS8W1OypgYOxGpXtChcPfKX2Px8bfijFi59ETnvfIl2mbCqVKeH3ZUOk/yN7FbCVLVwzCy8=,iv:AcyRzDVoCUdUv9q8FqL4AOffWCxEfKXr14goyxI6sKw=,tag:ZOm97QO/rexjoJJWW2G/Eg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
+1
View File
@@ -0,0 +1 @@
../../../../secrets/numerique-gouv/oidc2fer/env/outscale-production/secrets.enc.yaml
@@ -1,7 +1,7 @@
image:
repository: lasuite/oidc2fer
pullPolicy: Always
tag: "v1.0.1"
tag: "v1.0.2"
satosa:
replicas: 2
@@ -13,6 +13,7 @@ satosa:
SAML2_DISCOVERY_URL: https://discovery.renater.fr/renater
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/renater/main/main-idps-renater-metadata.xml
SAML2_ENTITY_ID: https://renater.agentconnect.gouv.fr/Saml2/proxy_saml2_backend.xml
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
-52
View File
@@ -1,52 +0,0 @@
SAML2_BACKEND_CERT: ENC[AES256_GCM,data:uVs1uGoFfESz0eAkxvPUkSXQw6cCvzi+YfH7pbXLxAXxYhmiKf25JarZX2ur8au3pdOd/rz0mZGpC2mfN8Fh+3+a0hseuvhqTetiFlc7Gc84HTXnyUQFzZa4Rgk6LeKGB8TDLG+s0F46u75KrRdHrwSbthBQhtiZCmoc+JcqSKJfl9Kv9OVMXEPHUy3zYvIy32Gk/+BEt+J9eo3RT1ZmmyRZToWWgXe906n2Bhvm8q05OgHkbCqu29TGKBviwikWTa36aUWNVdWh6XW7CtOPjWDvjYbVgb3O/Vwmw3mPRGviuAK1WS+kzMyP5oYQsWC5F97R0XlhnKElxpIRycCz3m/YLShuM1xtStiiR4mym6mNi99YonQ6hbodHSij9R/udXyMLeC5QZM15XzWHGFA+NemqVMGZ2C/xIhHCNUscKvHzOiQ2RiTk9VxNZfSdkzEXe2gMbl/+o3hSj8usFJOZWgToiYN+oBXgP1KqRlwdPSysCB3hs6mysn/1WlILWXN+EOYJP1jLsv1T4dC3ajujmnmhCn3/EYVI4TKEM6nJNs2KxNqlsC2D4G2n8NDciZVUt5a82tXWW6/ROA5UZDFOILkCHvfk6nkTRZjcXWmtPmCgwy54TysJ1wLsIycAsd8MuBTD3d9SpYFHKNC74O30bJe8GqtKObvHg8Ycp36+oH3gs41Mv5H32DumkUF6FcMJtbOEOYoEiHtuMSVXzuIdr6ikYQsRBU4v0UUpJTdMl2W+tYB8NeWBdI4jYaR+xwLw4+gs/deXhE7USTlPZJDB6a4DValxm+p7dLmUr5McgdhyEAACmxzhiSl33ccV2dIQCMsk4RoBXCZGX10ElY9bMk0vLaB5/n6qQgP51onxOUeJ6poKj4wneIZ7WmvbBfAVFUHoCPMQemjEEk6jVza4la4yQUW9rCgo/Tpfb7e05A+ux0CvNKvhcJLfyxN+LwDOw5X4p80gdVO8aWKyE+Ue6GPQBMZ8Ma31jlX//4KeIVcjpZAdutp38vJ936Ezrowu0HbviC1f0pJWXBVw0G8DGtpgorYhkN3Biwzu30jMEcWJXFSPqBGH0U2I5D4IXsDX1rH3DAR5UOKMVbWJ72zUq99Uip0FiaY1IVZLvfkfbPHwVq3jmuiZ/nXn1HenmNlkYOmOtL5BnZ47gHgXiMgFx6YGMBY50pZvk8ISKcacP52N9ph3EkovJR3Uam4XrtbMV0v9AGHX9aXYF1uB37q+ifZ4KB0b91dbXIUxXMb7FrbZ/iDX56+yTzdxdnXHWsmcBtPNFHxo+QjZvk4+UWlvoahwLJMGlxtgk71TPF65ms8y4L5Qq1vL2BgGiKWARWmq7KnrmrXQQWRZAXQd0lfqhVo7GDhppJUKBgYSQ4rC0q6u2mEm9YJc/3vsudKkwTyoYfBOmmz2+xI8fdaFuzg9UWswG3n61HMFYVf8+WAmoS7Bo21ns+KiIOroGruYdExr5rJOPcsLiPEr/Qmk0M=,iv:VI5LR7U20u6jG2voQgbnKcXclbWnROASzoYYz9N8Qlc=,tag:r1hGWOZRaiBblWvntcdYzg==,type:str]
SAML2_BACKEND_KEY: ENC[AES256_GCM,data:svNEf0i2AB0fQlJlwJ4tkST7R0GGArPGw7iVGA4pRYedphZrRkeTVUoI3e/Ku5fTv2IXBK4NU5NB9OvFL8VaX1hN3xxWcW6htcOzSGPklee/U4j9fSnUvZzCHtCz1sYgCoQCPcQObfLA2S2H+CMekJpy53djxfjbZdo6+A+T1Lcqk/aJkl8IO0+LgfK2vlp7X5hR4BLS+fdVOrogqzlIrr7iumvSBTS8RY0dp87iLGcWmKCYLrvSieyneiC1VgYughl6LxcPLBTPSJFZBt0NLR3oUMcumBaRpvrlLxPihJbqyC4Jn+We0IKBMYmLCEBBLjx+J4EFLHaG6p3+SyUmLYNJMeOvvexR/qTaiuwUp/3gsD8PrwxFVn7Z3jeL5gX0ohCQyETNuLpAw47yNAlHZaZ11FcFpRUINZrPBG/myJk4i40UQ+AmWBPgS/SxmQj91hoUPw23VDTGWLKv/B5Xd48A3hEOKeA7PmGOfCfd7d9eOJP42dcqWyUypogELAJgF+Leci4q6T99fnIGlBahJK8yDltc4NU4kEAsACdIBZBK+Ezyu+n1hOtg9BEDOUeilSy1TAgfi/B9CQrFLU9cSo1qFPHxIkaRPV3IVuGfEaxNpVrv68RaicYCfeUWIcQ3h13ftPIQlZ6rNukC1pDugV4GrPTtapokV/Z8/8QU0BcRAmfDIniBlk+uP2ga8YDJ4c1FDl6KYQt2zyzFQACOoVPOm/VvffGzOl042iO0ibHAklZerFgbjsiUCpBcRi4dOFqMt6OkvdTldFYGOm+FADtVdJaRoUk8uXe13GCUASjJUCrMOmimEb6gKNYbm2u27kWBIlPMNmLlelVkEpmPCmAl2yLXiJhdxBu0YgHyqwqizKOumckoYditFDXkK52ZtANqwLaHNtGV+aB5dvxRlN5NhsUYr9zLmgv4bUkYL2lI5p5IFN0Lha0fDG105FbIoqmuKXxWJ7IL7MisQLW5DGzN29gWH/uh3A00b3jiEn/0HvEh+P/38t20/IP/l65Z7OZAf2VA1jpCv04lKPXYmvMbcXIROhWcA1yqJvdgiNIh8eWWt/1mFzjRHQ1vfiW5XEn1Yoln6Q++Q5RgnlraizuZWDGeKvP/b5+B15lgdx7keG5rmSpn8ogJD7Cey6epsVY84Qbqpvcp5i5EcL/cMs9NkN2Yf6EGKhczILOAwH2YypWnttIz8OrftjqPzbAP/XOXLFxNbFBlyzLlYwTcjNUIZtg9OwK3k0zDKeHT+q6xSMFdyf3Xpdoh+NJD1QYzoSzosWj/Yzxg9bZVVpKOb89fkGRpNtCuHEkprr0LJUCaPSArANE+MH7E6uisBVvIQwF9MzTf6apHoyUIi0Oq0dRpryvD/OBf0V0Zn75uitpoSqEZf+i8+L3s7dsFp1lEwywUZuZPxmk8kOIyPGNG6KmuFOr0j/6jPO4/05dIvYb/f/sSCjQo3E99whPx5Of9tmlU4eCM4Fwzpgu/w4uKy4f27W4LYosfpENHGRbaWI2XFmmNL1J6Lm6h1yZ+3ck0391zBZA0pp0tNIR5AEc5UBn8GQHrmk9NW2QLMqQLPmhgAD6unHeJY9iYMoCAMqc14c6gjF7gjBCrZd58qBTcNHw3p0GJXACgCm/OGqhRYFuWF0kJUugnTK9n1wfy3/HNE/adBnOqJWEkoP4n/VVL+eucECBtOX0jPFHmPsMYMSdwupCB32G7I36dQPYQsjbD+Sg9StAQxbXUIALRQ1cMaeHpUNSc48sE8ElrjZStNf46oWs+rDjhleWdOlpfsOJ+qwJrLLXFqBMeFtgXpzL4NnRoEGjFFK5l7EtfGDK0/ytPPmOwarjEDftaLmDTfBniZrt/WuuChe7MHbKRcGFkBYA2nbbBfMcpnsGBXpEMQl8LYZR9Sg8hMT0rFYtXj+h0ceCIfsa1HdV43NR/oos7Nf32rjLAu/jVUMNwWOKew5+Du61gmhBVpVNtvTe8+31dYMoQGQrIbxnHQmT1fu8LB0Am45+Zghk8sc0d+81xEzYxvYXMR/QMbwJnWGGI4e7XSUMA5k9xKXXNDeYNCP/e9BGhl9sS0XYX0HSrjX6rsVI5K1QRjT+CBiIqlS7q6bofZ8tsiYhRSh7pgYgvodsPKezrZCTTY4/Xyg9iLMtqtpqMnfqmbaYvwJ6r5LbWeR89tkjmlHcWcue/85Y2D/1COiGFRODIityykTTjacGj/MlYXPE3O20Lr1P1YP2lm22i9kM5jKuCiGbyMn8ZuFVQ30Hnwv2qH4k=,iv:itJR8JpZRrwhbQY/kTEURY28vyu1qex7GsRme9icZYw=,tag:JgkJOE+bdK19KjvdH/k1Ug==,type:str]
OIDC_FRONTEND_KEY: ENC[AES256_GCM,data:8I/blGdvSDc+Hy96s4OsULJTo9+qyF+8Z4mxA/S11kLQjhue9sRTp/2Q0Db/gw0fMibb8gwrRi4oH4BsHfXaNxtyPCxrgwmeCpaq0rvgrOn+czEDQGErf7QxHnzvsOMBqMygRWKk3aKLjZTNvfMeaQL9KSrtEgePrfUvykSIPwN4HwtNH9Tymq6xopAhgk9jWq5kzomCu6u4OCxz9Fp1GgTdj/gLplMWYeTyWZQFRPimZoBfoxhbih9qofw4uqmN8+iT/Fj9EOAUMsdYeI9i2GKoT/YRso8yipi8760teUwqoDntTVv2ExR4zDvhI5Z9jISyX3qAXls/bwmwAWSb+JIxPAwgbsMDwmPTHItG3Xr2NPkiBVWujMhg7duq+labguwUZelpqQnvnKbxWHm1+NGRS+VYpPQRvzRREh02ybDt7/yjQMSAhWOkDXzZf6WNQfEf5jguz3B6CA6PGAwz9gZX7JivP1O5ontaeULbF373VsOQPmn57qZirk39Ntg7S9tkt2voxilSBMkhDsSXC3Qa9veGnd+t+Jg/YCEamoJEJ85EBfPzgvr2s6Av9D8B2h/gruXCQVCm/Zr9BX8Lus8JmSohTeZUFVteabmxr4W0gwPJgb5Ki0HciKxGsE7ITA5SFFN4LdxsBHlvJ0aJ1pipYfkkpI3YdC45CI22b2gDNIqVamK8hpYn8bTP3jLWsO36M/wnDB6oKsFiTTb4HxNuWVzIshQG8Ua0xwuhizuvZRDuRPUe+gfaiy0Dqzo/RLX1C92TJ7tYzlpM5/u0n7YkY5+/IB2ljnmAC5Kj5z+kNxhTflX/8Z62WTPBZlzE+kJb9hgMQQ8t7jDk6RnpmrUhOKx7rzrFzI/qmXC9+8yHEhiCBI5Wn3R89uCwV0O6WAhIuG9zQiaSiCwDaS3DHCy4PgcUBdbh5tddJ6aazmM9xBZFcevy06gWKmdjbkg3sacjCpTTdnIT4hwxdISTRWtuyYj+pp1d/rs5426yadftPI21OQ1F062nSTKtyViP8PFxzppbCzpSUK5oDdL7wCX2+y8071GJqNipLw+hUS/1z9x7GvEs0Fy5ZOefoHShO/vS6CfXUYoPNpq9ZiAoXvLCRSfY8HEqfOF45hFJLJsVhaKXOe1t4mfHJxrl88NKZXRC3nvSdoqwP9MTdNuvTf86Gn4n+zd3qT07ARqjq4hlV3L69xBxAK/QFrxHagSWOE4Z/tHvYYEiohbn/F6J4k30uv5KnR5P2OpXGRiS5eNXzXdfW+DptBHttmJKtzxD4JJbWRP6kFaUZiCLQLyhZTWoPHmFSTphkxZ2MkqCx13eFTHA927/zehAYCU/miJ1JLATMYaD3mHWifEKRipfG406cF1Y11w27Of3fmhAhqO/7LeZX1a39NXKHW6sIk1Rz0mEaFT8tpBUUxdR1FVaj//MUc7QsvzaxT1O8JletttC8wlWx1mePS1IU49O0DyYcZn4BW8vVJFDz24N7ARb+WcajmsopZScgNwO6XqvDaH/j8mH/0eWCFzIMfW0+pUoCrrmAtoHQ/Z2Dx1j1Yhddxkae1dwoyWGFDqLJyjJ9Hq7Xpx9jQOGGP0mQ2TOw1zwNCzfnWV3MTXmLLwSMc4/ZpOxSqsmI9RlMPE8LeU+ee/jhINYntD/q0zykcoSLj07SfwnYBZPfZcnxNyc94fyrX6GYGfXIAmPR2/pryRtPyXLR3WK9SbL/8rGN50mO42QlvXK0azWRe6gMT4yHZP6V6d5Vqrte1tfhUf/DYuUC0on6qHW5TDrWw7QBdiUQeip4YhW42vgU2WjjNiPZF332uExy0pypO6cZTnsR/jCUZxFMd/IVKWyhAeJt/Wx1Jli1c1SNTigH7LCrSLyrsA2tmufRAcGXRzG2C0mjwofWb7zR1IGCZ0yoVPSt7HNpOY5WoBLpsbhXBodyYTmrSprxXu4cg/n/G8jbAo/xW0AriJolA5k6F9/DWD/tDnIawhwW4AqqeWDk1MmNoGOf/OMplDdwrpkmclVidIcNnaCML8iuKiPx4g+8mdOdkc/mqIP8zaSInRV1/IrIGGSGRwSfQ4wyRFGqC8fYckympShVAGbetOLXn5dd7S3MGlh6n/rgUecqYySs9ckN2Ti0F1g/2CMI5g1Tn4fF2dwOk/iKFLvsSt5Y/vLMTfjK7W+FSg8ImtLs/Jfbn0rrlMVjoBXB2e/yajmu7r+xneP0OeRja+oA1gGExodDmUa4zV6QEU8IFSMLdnqMtShDdRs/XT1YAHbrlS4swg=,iv:EJEMIEsraig+i+5PlieAwHS6XV5bP+wlxv6Wni/9Dws=,tag:DM1XLnEtTp0vFEjAD4u4ag==,type:str]
STATE_ENCRYPTION_KEY: ENC[AES256_GCM,data:U0BoVcDN6/sNDST8epqmOzs5oWok6lRZ+hLo7O6/Mkz0cqB4rcHe/OOC9HTe39K5WUCD25Rfrb4lSeK0Finl9A==,iv:NM9Wjlx/llNc7Ws8DaNYy9dVq/oFEdlK5a/Alr5ZxVA=,tag:VT8GhiFxeI8AjdcKdRkEcQ==,type:str]
CLIENT_DB_JSON: ENC[AES256_GCM,data:C1UpicWcfmngdnBqGBMujt8aUZ+WpmvGs652NgR3gvN+aeQ1mMFWAjjCza5q9jN2sIhMbmu/NPrcTvLx4UNE0MOIclrWWbPdxk2UyylU+7TEas6V7OrpJa1e5D8msSSAnPLI7YSrRILSrw6pktnM/07d7S8Q1fkLGxJYkRboTGbTSRGRSSMDFdyrdrGiTDnc3H0y7FQerzQ8caRgRvb1JW8OPpJ+Kpk3jfTyFCNwiyJnISb48QCQPQX2jg9GpXl6OaPg2bw5OnnM1hi/qL+43nR/wV1WnvH/Z+Quvwgj7RorpS1TWVeLIC6zo8o49XFg6aHoiKigma3U/8ZeccsxpYHdsqObQ/mrSyYS87YNHXbl5miwjevaBGIj4Vteg16Vgs6R4jd8qgan+zCCfu5OwGmmCFG4M6EnuWhvQ5YpDGjclBc+q5exSnrb2hVOsEpYB2iRpcd5KNexrhCBJQZVMWRtAhnGIsupImctHaFVcZsvDBUQ3tQ+glt8s59VNZlnXPGE7hnB4L60PxMUJVhL6p8pbQtNvm6fCUBORoU+FCXnfGoK70Cxc/O6THvIcMH8L12rM0XEe/QyJIqRrBUtQcXgTZo3cB+tLVKW/MwKMyCk4s41McyEjL420pFh8cJ19iHWw5vZ4pZ4lkdtyaf3OI5eIVrnKj6uU96/daJSTOJCUgdyj/Vve//4m+UN7qkbnbahPRt5MZIY6P6P/Qs0JeV1tUnhe4vU,iv:WWpqoOZaXwIt1uziAdxgYDNSqR0XG0n/QexgIRItbm0=,tag:gzhESbDbnySTMMoJQiQl/g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtqWVIwVHNQd3lCa0di
ajVwME5zdmZKcGEzSzMzUUNLODRJKzFtMkNrCjRyKzJjWEJaM3J2V29GTnA0TWlH
YmRPdnUzUm5Xb2dqSjBnRkM5U1VJbUkKLS0tIDZVb1Nxc3FYQW9hRGpta09OUllR
ZmJ0OTdRYTVQdlJ3REh0MXQvY21ETlkKyD979zhHLw/hFLBAjSQwVvSYF8vzyIym
D5Qt261RH79ajpnu6Sc11kUXKi0uGWOMBQQXdZKsv15o8RJsXsseWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h7d5y4w370whuawk5jxz8zv320u766mzhvlg2n6gh6hxvqmxg4psfpr03e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGb2pSOUV3WkVwOWpiYWMy
R0NrSFd3TTk5bHZhbWZ6V2lBd3JIbno1QkJjCnNNRFZlUFBsU3pnbUN5eFNjSlNl
MDNlZDgvUWhCbXlTTU4rcEc1azBRK0kKLS0tIGEzK0h5cEowa0sxZ3dTYkp5eU5J
bzRMR1dnbEtLZmc4QStmN3B1YjJodTQKsH6+NmM3WmJoTOVId2jea43Ud4pPm072
x4O78jbVlBNaAWhmRDqF+e25I0ijYPPRICxh7VRnUl6PAsB93F60iQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nma4n6pxaywl39cndnu852vx0xs0vh5stcc3qtasdt89u4dqrussvjk5fj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSWZFOW5SZWM0WFFVcTdH
WlJQa2hUckUyanZnZHQ3Vnk0VG9Zcmt6dUEwCk96WDVLTDlsenpCdU9qSFhVcS80
bXdKZ1FCNmQrV2t1T2ltS0ljUnZrZEUKLS0tIGFuZWpmbjBvRXFKMXNTcFhHZmF1
bFV1ZFFVclVkVS9LZ3lXTnk1Vm43dVUKnskxex7sr+qj/kdYbNJNnjXXIF1P+9r+
wqL2UlpCRwP+I+bX7EsO06stiHzeVskcCjZVBC6Ki7HAaEF2KV6Tow==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINnIyYmtVcXF1TTd4UVpr
VThISkJQT0tYSmxiRWllM3VEb3Fnc3pSZm5FCjVVTUdYR1dkTEtOYjVCdHNWRS82
MFhaMFNITFE2QS9vbC9oNHhDaUpFZ28KLS0tIG16OERadzlIN3lXTDdyRS9tbHAr
NGwvS2J1SjNxMUdpdU01bGxrYVFEeDQKJfcoidOW3qh4hxQgBSFciCQrsothPllK
Zj6d3pUeqZpQlSaYKfr7tywYHOgkmOMJcGUfYXDpk7278gNBSo6T7w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-22T15:46:36Z"
mac: ENC[AES256_GCM,data:Nc8rhWtwyXedqESemEusiy2yeqtDbjlep0PAbQ7UW2+jdZZE/uOW1I7LvqTNOKwPwMwFgT0+PyuxOzcSrYtH24A/QSEA2P5kH9S7VXaAZmrWYANTI1pMzqaMGYdP2KQlgK3SqBPmJlG8OHYAHpYpFMIUduWiYCdgEZCfzGbzsfg=,iv:2so40E91bgVh2AL5D6Ju1CXP1Bd31kN95/86/Oinkg0=,tag:rHy//0ddChLA/dIN4P0EhA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
+1
View File
@@ -0,0 +1 @@
../../../../secrets/numerique-gouv/oidc2fer/env/staging/secrets.enc.yaml
@@ -13,6 +13,7 @@ satosa:
SAML2_DISCOVERY_URL: https://discovery.renater.fr/test/
SAML2_METADATA_URL: https://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
SAML2_ENTITY_ID: https://oidc2fer-staging.beta.numerique.gouv.fr/Saml2/proxy_saml2_backend.xml-test
STATE_ENCRYPTION_KEY: { secretKeyRef: { name: oidc2fer, key: STATE_ENCRYPTION_KEY } }
SAML2_BACKEND_CERT: { secretKeyRef: { name: oidc2fer, key: SAML2_BACKEND_CERT } }
+4 -1
View File
@@ -22,9 +22,12 @@ attributes:
acr:
openid:
- acr
eppn:
eduPersonPrincipalName:
saml:
- eduPersonPrincipalName
eduPersonAffiliation:
saml:
- eduPersonAffiliation
uid:
openid:
- uid
@@ -23,7 +23,7 @@ config:
# - url: https://mdq.federation.renater.fr
remote:
- url: !ENV SAML2_METADATA_URL
entityid: <base_url>/<name>/proxy_saml2_backend.xml
entityid: !ENV SAML2_ENTITY_ID
accepted_time_diff: 60
allow_unknown_attributes: true
service:
@@ -38,6 +38,7 @@ config:
height: '200'
authn_requests_signed: true
want_response_signed: true
signing_algorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
allow_unsolicited: true
name_id_format:
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
@@ -0,0 +1,16 @@
module: satosa.micro_services.attribute_authorization.AttributeAuthorization
name: AttributeAuthorization
config:
force_attributes_presence_on_allow: true
attribute_allow:
default: # any requester (SP/RP)
default: # any issuer (IdP/OP)
eduPersonPrincipalName:
# The eduPersonPrincipalName value may have been filtered by the
# AttributeFilter processor, if it did not match an expected scope
# for the IdP.
# We require it to be non-empty here, to avoid an unhandled error
# later in the PrimaryIdentifier processor.
- ".+"
eduPersonAffiliation:
- "^employee$"
@@ -0,0 +1,12 @@
module: satosa.micro_services.attribute_modifications.FilterAttributeValues
name: AttributeFilter
config:
attribute_filters:
# default rules for any IdentityProvider
"":
# default rules for any requester
"":
eduPersonPrincipalName:
# enforce correct scope (the part after '@' must match one
# of the scopes declared in the metadata)
shibmdscope_match_scope:
@@ -7,7 +7,7 @@ config:
# names are the internal SATOSA names for the attributes as
# defined in internal_attributes.yaml.
ordered_identifier_candidates:
- attribute_names: [eppn]
- attribute_names: [eduPersonPrincipalName]
# The internal SATOSA attribute into which to place the primary
# identifier value once found from the above configured ordered
+2
View File
@@ -12,6 +12,8 @@ FRONTEND_MODULES:
- plugins/frontends/openid_connect_frontend.yaml
- plugins/frontends/ping_frontend.yaml
MICRO_SERVICES:
- plugins/microservices/filter_attributes.yaml
- plugins/microservices/attribute_authorization.yaml
- plugins/microservices/primary_identifier.yaml
- plugins/microservices/static_attributes.yaml
- plugins/microservices/attribute_processor.yaml
+78 -39
View File
@@ -2,7 +2,7 @@ import json
import os
import pytest
from playwright.sync_api import Browser, BrowserContext, Page, expect
from playwright.sync_api import Browser, Page, expect
@pytest.fixture(scope="session")
@@ -10,10 +10,12 @@ def browser_context_args():
return {"locale": "fr-FR"}
def renater_test_idp(page):
page.get_by_label("Nom d'utilisateur").fill("etudiant1")
page.get_by_label("Mot de passe").fill("etudiant1")
def renater_test_idp(page, login):
page.get_by_label("Nom d'utilisateur").fill(login)
page.get_by_label("Mot de passe").fill(login)
page.get_by_label("Afficher les informations qui vont être transférées").check()
page.get_by_role("button", name="Connexion").click()
page.get_by_role("button", name="Accepter").click()
def renater_wayf(page):
@@ -22,24 +24,30 @@ def renater_wayf(page):
page.get_by_role("button", name="Sélection").click()
def oidc_to_renater(context: BrowserContext):
with context.new_page() as page:
page.goto("https://oidc-test-client.traefik.me")
renater_wayf(page)
renater_test_idp(page)
def oidc_to_renater(
page: Page,
login="enseignant1",
expected_email="georges.grospieds@formation.renater.fr",
expected_given_name="Georges",
expected_usual_name="Grospieds",
):
page.goto("https://oidc-test-client.traefik.me")
renater_wayf(page)
renater_test_idp(page, login=login)
expect(page.locator("pre")).to_contain_text('"usual_name":"Dupont"')
text = page.inner_text("pre")
result = json.loads(text)
expect(page.locator("pre")).to_contain_text('"usual_name":')
text = page.inner_text("pre")
result = json.loads(text)
id_token = result["access_token_response"]["id_token"]
assert {"acr": "eidas1"}.items() <= id_token.items()
userinfo = result["userinfo"]
assert {
"email": "jean.dupont@formation.renater.fr",
"given_name": "Jean",
"uid": "etudiant1@test-renater.fr",
"usual_name": "Dupont",
"sub": f"{login}@test-renater.fr",
"uid": f"{login}@test-renater.fr",
"email": expected_email,
"given_name": expected_given_name,
"usual_name": expected_usual_name,
}.items() <= userinfo.items()
return id_token
@@ -47,43 +55,74 @@ def oidc_to_renater(context: BrowserContext):
@pytest.mark.skipif(
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
)
def test_oidc_to_renater(browser: Browser):
id_token1 = oidc_to_renater(browser.new_context())
id_token2 = oidc_to_renater(browser.new_context())
def test_oidc_to_renater_keeps_sub(browser: Browser):
with browser.new_context().new_page() as page:
id_token1 = oidc_to_renater(page)
with browser.new_context().new_page() as page:
id_token2 = oidc_to_renater(page)
assert id_token1["sub"] == id_token2["sub"]
def agent_connect_login(page: Page):
@pytest.mark.skipif(
"TEST_E2E" not in os.environ, reason="Depends on app running locally"
)
def test_oidc_to_renater_student_not_allowed(page: Page):
page.goto("https://oidc-test-client.traefik.me")
renater_wayf(page)
renater_test_idp(page, login="etudiant1")
expect(page.locator("pre")).to_contain_text('"error":"access_denied"')
def agent_connect_login(page: Page, email):
page.goto("https://fsa1v2.integ01.dev-agentconnect.fr/")
page.get_by_label("Connexion à AgentConnect").click()
page.get_by_label("Email professionnel").fill("jean.dupont@formation.renater.fr")
page.get_by_label("Email professionnel").fill(email)
page.get_by_test_id("interaction-connection-button").click()
def agent_connect_to_renater(context: BrowserContext):
with context.new_page() as page:
agent_connect_login(page)
renater_wayf(page)
renater_test_idp(page)
def agent_connect_to_renater(
page: Page,
login="enseignant1",
expected_email="georges.grospieds@formation.renater.fr",
expected_given_name="Georges",
expected_usual_name="Grospieds",
):
agent_connect_login(page, email=expected_email)
renater_wayf(page)
renater_test_idp(page, login=login)
expect(page.locator("body")).to_contain_text("jean.dupont@formation.renater.fr")
text = page.inner_text("#json")
result = json.loads(text)
assert {
"email": "jean.dupont@formation.renater.fr",
"given_name": "Jean",
"uid": "etudiant1@test-renater.fr",
"usual_name": "Dupont",
}.items() <= result.items()
return result
expect(page.locator("body")).to_contain_text(expected_email)
text = page.inner_text("#json")
result = json.loads(text)
assert {
"uid": f"{login}@test-renater.fr",
"email": expected_email,
"given_name": expected_given_name,
"usual_name": expected_usual_name,
}.items() <= result.items()
return result
@pytest.mark.skipif(
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
)
def test_agent_connect_to_renater(browser: Browser):
result1 = agent_connect_to_renater(browser.new_context())
result2 = agent_connect_to_renater(browser.new_context())
def test_agent_connect_to_renater_keeps_sub(browser: Browser):
with browser.new_context().new_page() as page:
result1 = agent_connect_to_renater(page)
with browser.new_context().new_page() as page:
result2 = agent_connect_to_renater(page)
assert result1["sub"] == result2["sub"]
@pytest.mark.skipif(
"TEST_E2E_AC" not in os.environ, reason="Depends on staging deployment"
)
def test_agent_connect_to_renater_student_not_allowed(page: Page):
agent_connect_login(page, email="jean.dupont@formation.renater.fr")
renater_wayf(page)
renater_test_idp(page, login="etudiant1")
expect(page.locator("body")).to_contain_text("Une erreur technique est survenue.")