From 770d9af22bb6d0331b7e2d006a846552ff7917a2 Mon Sep 17 00:00:00 2001 From: peppelinux Date: Thu, 7 Apr 2022 10:39:18 +0200 Subject: [PATCH 1/6] fix: docker versions --- README.md | 2 +- docker-compose.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 195e2182..cff43b08 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ Read the [setup documentation](docs/SETUP.md) to get started. ### Docker image ```` -docker pull ghcr.io/italia/spid-cie-oidc-django:v0.6.3 +docker pull ghcr.io/italia/spid-cie-oidc-django:v0.6.4 ```` ### Docker compose diff --git a/docker-compose.yml b/docker-compose.yml index f9085bb8..c9414859 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: trust-anchor.org: - image: spid-cie-oidc-django:v0.6.3 + image: spid-cie-oidc-django:v0.6.4 build: context: . dockerfile: ./Dockerfile @@ -19,7 +19,7 @@ services: python3 manage.py runserver 0.0.0.0:8000" cie-provider.org: - image: spid-cie-oidc-django:v0.6.3 + image: spid-cie-oidc-django:v0.6.4 build: context: . dockerfile: ./Dockerfile @@ -40,7 +40,7 @@ services: python3 manage.py runserver 0.0.0.0:8002" relying-party.org: - image: spid-cie-oidc-django:v0.6.3 + image: spid-cie-oidc-django:v0.6.4 build: context: . dockerfile: ./Dockerfile From 940c990e5b0c352049ae9ed20fc2dc9d5c646246 Mon Sep 17 00:00:00 2001 From: peppelinux Date: Thu, 7 Apr 2022 10:55:09 +0200 Subject: [PATCH 2/6] fix: automatic type on EC save and onboarded.status on admin action --- spid_cie_oidc/entity/models.py | 4 ++++ spid_cie_oidc/onboarding/admin.py | 2 ++ 2 files changed, 6 insertions(+) diff --git a/spid_cie_oidc/entity/models.py b/spid_cie_oidc/entity/models.py index bc18700e..02263d13 100644 --- a/spid_cie_oidc/entity/models.py +++ b/spid_cie_oidc/entity/models.py @@ -236,6 +236,10 @@ def entity_configuration_as_jws(self, **kwargs): **kwargs, ) + def save(self, *args, **kwargs): + self.entity_type = self.type[0] + super().save(*args, **kwargs) + def __str__(self): return "{} [{}]".format(self.sub, "active" if self.is_active else "--") diff --git a/spid_cie_oidc/onboarding/admin.py b/spid_cie_oidc/onboarding/admin.py index 76745807..4132e54b 100644 --- a/spid_cie_oidc/onboarding/admin.py +++ b/spid_cie_oidc/onboarding/admin.py @@ -32,6 +32,8 @@ def enable_as_descendant(modeladmin, request, queryset): contact = contact, type = "email" ) + entity_onboarded.status = "onboarded" + entity_onboarded.save() except IntegrityError: # pragma: no cover messages.error(request, f"Already exists a descendant with subject: {sub}") From 292bc830f1dcfd54b243adfd3e5b7e0641d7149a Mon Sep 17 00:00:00 2001 From: peppelinux Date: Thu, 7 Apr 2022 12:23:19 +0200 Subject: [PATCH 3/6] chore: [provider] a better message of generic exception during authz validation --- spid_cie_oidc/provider/views/authz_request_view.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid_cie_oidc/provider/views/authz_request_view.py b/spid_cie_oidc/provider/views/authz_request_view.py index f2e5fe9f..1da96490 100644 --- a/spid_cie_oidc/provider/views/authz_request_view.py +++ b/spid_cie_oidc/provider/views/authz_request_view.py @@ -147,7 +147,7 @@ def get(self, request, *args, **kwargs): ) except Exception as e: logger.error( - "Error during trust build for " + "Error during authz request validation for " f"{request.GET.get('client_id', 'unknown')}: {e}" ) return self.redirect_response_data( From c4722adebbe07e16b326ca48a08a35fa7bdea27e Mon Sep 17 00:00:00 2001 From: peppelinux Date: Thu, 7 Apr 2022 20:04:03 +0200 Subject: [PATCH 4/6] feat: [RP] added warning messages on token signature validation errors --- .../relying_party/views/rp_callback.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/spid_cie_oidc/relying_party/views/rp_callback.py b/spid_cie_oidc/relying_party/views/rp_callback.py index 0e682a95..074b23b6 100644 --- a/spid_cie_oidc/relying_party/views/rp_callback.py +++ b/spid_cie_oidc/relying_party/views/rp_callback.py @@ -188,7 +188,10 @@ def get(self, request, *args, **kwargs): op_id_jwk = self.get_jwk_from_jwt(id_token, jwks) if not op_ac_jwk or not op_id_jwk: - # TODO: verify error message and status + logger.warning( + "Token signature validation error, " + f"the tokens were signed with a different kid from: {jwks}." + ) context = { "error": "invalid_token", "error_description": _("Authentication token seems not to be valid."), @@ -197,8 +200,10 @@ def get(self, request, *args, **kwargs): try: verify_jws(access_token, op_ac_jwk) - except Exception: - # TODO: verify error message + except Exception as e: + logger.warning( + f"Access Token signature validation error: {e} " + ) context = { "error": "token verification failed", "error_description": _("Authentication token validation error."), @@ -207,8 +212,10 @@ def get(self, request, *args, **kwargs): try: verify_jws(id_token, op_id_jwk) - except Exception: - # TODO: verify error message + except Exception as e: + logger.warning( + f"ID Token signature validation error: {e} " + ) context = { "error": "token verification failed", "error_description": _("ID token validation error."), From 5e14c320a1c8f0041267935940bda78af5d099cf Mon Sep 17 00:00:00 2001 From: peppelinux Date: Thu, 7 Apr 2022 20:21:06 +0200 Subject: [PATCH 5/6] feat: better warning messages to help configuration of jwks and userinfo errors by rp side --- spid_cie_oidc/entity/models.py | 16 ++++++++++++++++ spid_cie_oidc/relying_party/views/rp_callback.py | 8 ++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/spid_cie_oidc/entity/models.py b/spid_cie_oidc/entity/models.py index 02263d13..28a6bd23 100644 --- a/spid_cie_oidc/entity/models.py +++ b/spid_cie_oidc/entity/models.py @@ -240,6 +240,22 @@ def save(self, *args, **kwargs): self.entity_type = self.type[0] super().save(*args, **kwargs) + if self.entity_type in ENTITY_TYPE_LEAFS: + valid_kids = set() + for jwk in self.jwks: + valid_kids.add(jwk.get("kid", None)) + + for entity,metadata in self.metadata.items(): + for oidc_jwk in metadata['jwks']['keys']: + if oidc_jwk['kid'] not in valid_kids: + logger.warning( + f"Found a public jwk in {entity} that haven't a valid " + f"jwk {oidc_jwk['kid']} in {self.jwks}." + ) + + + + def __str__(self): return "{} [{}]".format(self.sub, "active" if self.is_active else "--") diff --git a/spid_cie_oidc/relying_party/views/rp_callback.py b/spid_cie_oidc/relying_party/views/rp_callback.py index 074b23b6..43bd287c 100644 --- a/spid_cie_oidc/relying_party/views/rp_callback.py +++ b/spid_cie_oidc/relying_party/views/rp_callback.py @@ -123,7 +123,6 @@ def get(self, request, *args, **kwargs): ) if not authz: - # TODO: verify error message and status context = { "error": "unauthorized request", "error_description": _("Authentication not found"), @@ -141,7 +140,6 @@ def get(self, request, *args, **kwargs): sub=authz_token.authz_request.client_id ).first() if not self.rp_conf: - # TODO: verify error message and status context = { "error": "invalid request", "error_description": _("Relay party not found"), @@ -159,7 +157,6 @@ def get(self, request, *args, **kwargs): code_verifier=authz_data.get("code_verifier"), ) if not token_response: - # TODO: verify error message context = { "error": "invalid token response", "error_description": _("Token response seems not to be valid"), @@ -241,7 +238,10 @@ def get(self, request, *args, **kwargs): verify=HTTPC_PARAMS, ) if not userinfo: - # TODO: verify error message + logger.warning( + "Userinfo request failed for state: " + f"{authz.state} to {authz.provider_id}" + ) context = { "error": "invalid userinfo response", "error_description": _("UserInfo response seems not to be valid"), From 65df20114738806ebd78db7448c69c57f2f34b4e Mon Sep 17 00:00:00 2001 From: peppelinux Date: Fri, 8 Apr 2022 09:32:41 +0200 Subject: [PATCH 6/6] v0.6.5 --- README.md | 2 +- docker-compose.yml | 6 +++--- spid_cie_oidc/__init__.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index cff43b08..caa7acc9 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ Read the [setup documentation](docs/SETUP.md) to get started. ### Docker image ```` -docker pull ghcr.io/italia/spid-cie-oidc-django:v0.6.4 +docker pull ghcr.io/italia/spid-cie-oidc-django:v0.6.5 ```` ### Docker compose diff --git a/docker-compose.yml b/docker-compose.yml index c9414859..f963f044 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: trust-anchor.org: - image: spid-cie-oidc-django:v0.6.4 + image: spid-cie-oidc-django:v0.6.5 build: context: . dockerfile: ./Dockerfile @@ -19,7 +19,7 @@ services: python3 manage.py runserver 0.0.0.0:8000" cie-provider.org: - image: spid-cie-oidc-django:v0.6.4 + image: spid-cie-oidc-django:v0.6.5 build: context: . dockerfile: ./Dockerfile @@ -40,7 +40,7 @@ services: python3 manage.py runserver 0.0.0.0:8002" relying-party.org: - image: spid-cie-oidc-django:v0.6.4 + image: spid-cie-oidc-django:v0.6.5 build: context: . dockerfile: ./Dockerfile diff --git a/spid_cie_oidc/__init__.py b/spid_cie_oidc/__init__.py index 364e7bae..7bbb2ef5 100644 --- a/spid_cie_oidc/__init__.py +++ b/spid_cie_oidc/__init__.py @@ -1 +1 @@ -__version__ = "0.6.4" +__version__ = "0.6.5"