Merge pull request #222 from italia/dev

v0.6.5

README.md

@@ -72,7 +72,7 @@ Read the [setup documentation](docs/SETUP.md) to get started.
 ### Docker image
 
 ````
-docker pull ghcr.io/italia/spid-cie-oidc-django:v0.6.4
+docker pull ghcr.io/italia/spid-cie-oidc-django:v0.6.5
 ````
 
 ### Docker compose

docker-compose.yml

@@ -2,7 +2,7 @@ version: "3"
 
 services:
   trust-anchor.org:
-    image: spid-cie-oidc-django:v0.6.4
+    image: spid-cie-oidc-django:v0.6.5
     build:
       context: .
       dockerfile: ./Dockerfile
@@ -19,7 +19,7 @@ services:
         python3 manage.py runserver 0.0.0.0:8000"
 
   cie-provider.org:
-    image: spid-cie-oidc-django:v0.6.4
+    image: spid-cie-oidc-django:v0.6.5
     build:
       context: .
       dockerfile: ./Dockerfile
@@ -40,7 +40,7 @@ services:
         python3 manage.py runserver 0.0.0.0:8002"
 
   relying-party.org:
-    image: spid-cie-oidc-django:v0.6.4
+    image: spid-cie-oidc-django:v0.6.5
     build:
       context: .
       dockerfile: ./Dockerfile

spid_cie_oidc/__init__.py

@@ -1 +1 @@
-__version__ = "0.6.4"
+__version__ = "0.6.5"

spid_cie_oidc/entity/models.py

@@ -236,6 +236,26 @@ def entity_configuration_as_jws(self, **kwargs):
             **kwargs,
         )
 
+    def save(self, *args, **kwargs):
+        self.entity_type = self.type[0]
+        super().save(*args, **kwargs)
+
+        if self.entity_type in ENTITY_TYPE_LEAFS:
+            valid_kids = set()
+            for jwk in self.jwks:
+                valid_kids.add(jwk.get("kid", None))
+
+            for entity,metadata in self.metadata.items():
+                for oidc_jwk in metadata['jwks']['keys']:
+                    if oidc_jwk['kid'] not in valid_kids:
+                        logger.warning(
+                            f"Found a public jwk in {entity} that haven't a valid "
+                            f"jwk {oidc_jwk['kid']} in {self.jwks}."
+                        )
+
+
+
+
     def __str__(self):
         return "{} [{}]".format(self.sub, "active" if self.is_active else "--")
 

spid_cie_oidc/onboarding/admin.py

@@ -32,6 +32,8 @@ def enable_as_descendant(modeladmin, request, queryset):
                     contact = contact,
                     type = "email"
                 )
+                entity_onboarded.status = "onboarded"
+                entity_onboarded.save()
             except IntegrityError: # pragma: no cover
                 messages.error(request, f"Already exists a descendant with subject: {sub}")
 

spid_cie_oidc/provider/views/authz_request_view.py

@@ -147,7 +147,7 @@ def get(self, request, *args, **kwargs):
             )
         except Exception as e:
             logger.error(
-                "Error during trust build for "
+                "Error during authz request validation for "
                 f"{request.GET.get('client_id', 'unknown')}: {e}"
             )
             return self.redirect_response_data(

spid_cie_oidc/relying_party/views/rp_callback.py

@@ -123,7 +123,6 @@ def get(self, request, *args, **kwargs):
             )
 
         if not authz:
-            # TODO: verify error message and status
             context = {
                 "error": "unauthorized request",
                 "error_description": _("Authentication not found"),
@@ -141,7 +140,6 @@ def get(self, request, *args, **kwargs):
             sub=authz_token.authz_request.client_id
         ).first()
         if not self.rp_conf:
-            # TODO: verify error message and status
             context = {
                 "error": "invalid request",
                 "error_description": _("Relay party not found"),
@@ -159,7 +157,6 @@ def get(self, request, *args, **kwargs):
             code_verifier=authz_data.get("code_verifier"),
         )
         if not token_response:
-            # TODO: verify error message
             context = {
                 "error": "invalid token response",
                 "error_description": _("Token response seems not to be valid"),
@@ -188,7 +185,10 @@ def get(self, request, *args, **kwargs):
         op_id_jwk = self.get_jwk_from_jwt(id_token, jwks)
 
         if not op_ac_jwk or not op_id_jwk:
-            # TODO: verify error message and status
+            logger.warning(
+                "Token signature validation error, "
+                f"the tokens were signed with a different kid from: {jwks}."
+            )
             context = {
                 "error": "invalid_token",
                 "error_description": _("Authentication token seems not to be valid."),
@@ -197,8 +197,10 @@ def get(self, request, *args, **kwargs):
 
         try:
             verify_jws(access_token, op_ac_jwk)
-        except Exception:
-            # TODO: verify error message
+        except Exception as e:
+            logger.warning(
+                f"Access Token signature validation error: {e} "
+            )
             context = {
                 "error": "token verification failed",
                 "error_description": _("Authentication token validation error."),
@@ -207,8 +209,10 @@ def get(self, request, *args, **kwargs):
 
         try:
             verify_jws(id_token, op_id_jwk)
-        except Exception:
-            # TODO: verify error message
+        except Exception as e:
+            logger.warning(
+                f"ID Token signature validation error: {e} "
+            )
             context = {
                 "error": "token verification failed",
                 "error_description": _("ID token validation error."),
@@ -234,7 +238,10 @@ def get(self, request, *args, **kwargs):
             verify=HTTPC_PARAMS,
         )
         if not userinfo:
-            # TODO: verify error message
+            logger.warning(
+                "Userinfo request failed for state: "
+                f"{authz.state} to {authz.provider_id}"
+            )
             context = {
                 "error": "invalid userinfo response",
                 "error_description": _("UserInfo response seems not to be valid"),