Merge pull request #158 from italia/dev

OnBoarding Tools, provider session history page, CIE Provider and docs

README.md

@@ -107,7 +107,7 @@ Please consider the following branches:
 Backup and share your demo data
 ````
 # backup your data (upgrade example data), -e excludes.
-./manage.py dumpdata -e admin -e spid_cie_oidc_relying_party spid_cie_oidc_provider -e spid_cie_oidc_relying_party_test -e auth -e contenttypes -e sessions > dumps/example.json
+./manage.py dumpdata -e admin -e spid_cie_oidc_relying_party -e spid_cie_oidc_provider -e spid_cie_oidc_relying_party_test -e auth -e contenttypes -e sessions > dumps/example.json
 ````
 
 In this project we adopt [Semver](https://semver.org/lang/it/) and

docs/CREATE_A_FEDERATION_AUTHORITY.md

@@ -80,3 +80,40 @@ authority_hints = ["http://testserver/"]
 ### Create a Federation Descendant via API
 
 see [unit tests](https://github.com/peppelinux/spid-cie-oidc-django/blob/main/spid_cie_oidc/authority/tests/test_02_trust_anchor_intermediary.py#L32).
+
+
+### Create a CIE provider in a Federation Authority
+
+Delete provider database:
+````
+cd examples/provider
+rm db.sqlite3
+````
+do migrations ````./manage.py migrate````
+
+in provider settingslocal.py configure cie profile:  ````OIDCFED_PROVIDER_PROFILE = "cie"````
+
+In exemples/provider configure a federation entity configuration as OP:
+
+````
+./manage.py runserver 0.0.0.0:8002
+````
+In provider admin console:
+
+![OP federation entity](images/op_federation_entity.png)
+
+In examples/federation_authority configure OP cie as descendant:
+
+````
+./manage.py runserver
+````
+
+In federation admin console:
+
+![OP as descendant](images/op_descendant.png)
+
+In federation service build trust chain for OP:
+
+````
+examples/federation_authority/manage.py fetch_openid_providers --start -f
+````

spid_cie_oidc/__init__.py

@@ -1 +1 @@
-__version__ = "0.4.14"
+__version__ = "0.4.15"

spid_cie_oidc/authority/validators.py

@@ -33,8 +33,14 @@ def validate_entity_configuration(value):
         )
     if not jwt:
         raise ValidationError("Entity Configuration is Null")
-    ec = EntityConfiguration(jwt, httpc_params=HTTPC_PARAMS)
-    ec.validate_by_itself()
+
+    try:
+        ec = EntityConfiguration(jwt, httpc_params=HTTPC_PARAMS)
+        ec.validate_by_itself()
+    except Exception as e:
+        raise ValidationError(
+            f"Failed to fetch Entity Configuration for {value}: {e}"
+        )
 
     authority_hints = ec.payload.get("authority_hints", [])
     if not authority_hints:
@@ -52,3 +58,4 @@ def validate_entity_configuration(value):
             f"{', '.join(OIDCFED_TRUST_ANCHORS) or []} in "
             f"its authority_hints claim. It has: {authority_hints}"
         )
+    return ec

spid_cie_oidc/entity/schemas/jwks.py

@@ -43,8 +43,8 @@ def validate_e(cls, e_value, values):
 
 class JwkCie(Jwk):
     x: Optional[str]  # Base64url-encoded
-    y:  Optional[str]  # Base64url-encoded
-    crv:  Optional[Literal["P-256", "P-384", "P-521"]]
+    y: Optional[str]  # Base64url-encoded
+    crv: Optional[Literal["P-256", "P-384", "P-521"]]
 
     @validator("x")
     def validate_x(cls, x_value, values):

spid_cie_oidc/onboarding/templates/base.html

@@ -127,8 +127,6 @@ <h3 class="no_toc">VALIDATORS</h3>
                             <span>{% trans "Validate Entity Configuration" %}</span></a></li>  
                         <li><a class="list-item" href="{% url 'oidc_onboarding_validating_trustmark' %}">
                             <span>{% trans "Trust mark validation" %}</span></a></li> 
-
-
                     </ul>
                 </div>
             </div>

spid_cie_oidc/onboarding/templates/onboarding_jwk.html

@@ -5,7 +5,7 @@
 {% block centered_container %}
 <div class="col-12 pl-lg-4">
     <h4 class="text-left">
-        {% trans "Create a JWT" %}
+        {% trans "Create a JWK" %}
     </h4>
 
     <p class="pt-4 mb-0">

spid_cie_oidc/onboarding/templates/onboarding_validate_ec.html

@@ -8,7 +8,7 @@ <h4 class="text-left">
         {% trans "Validate entity configuration" %}
     </h4>
 
-    <p class="pt-4 mb-0">
+    <p class="pt-4 mb-4">
         {% trans "enter a url of entity to check if it is compatible" %}
     </p>
 
@@ -18,7 +18,7 @@ <h4 class="text-left">
             <div class="col-12 form-group my-3">
             <label for="id_url">
                 <span class="form-label-content">
-                    url of the entity
+                    {% trans "url of the entity" %}
                 </span>
             </label>
 
@@ -27,6 +27,18 @@ <h4 class="text-left">
             </div>
             <span for="id_url" class="text-danger"></span>
         </div>
+        {% if ec %}
+        <div class="form-row mt-3">
+            <div class="col-12 form-group my-3">
+                <label for="id_ec">
+                    <span class="form-label-content">
+                        {% trans "Here the json of entity configuration." %}
+                    </span>
+                </label>
+                <textarea id="id_ec" rows="14" disabled>{{ ec }}</textarea>
+            </div>
+        </div>
+        {% endif %}
         <input type="submit" name="confirm" class="btn btn-lg btn-primary btn-block" value="{% trans 'validate' %}" />
     </form>
 </div>

spid_cie_oidc/onboarding/views.py

@@ -4,6 +4,7 @@
 from django.contrib import messages
 from django.utils.translation import gettext as _
 
+
 from .forms import (
     OnboardingRegistrationForm,
     OnboardingCreateTrustChain,
@@ -253,13 +254,16 @@ def onboarding_validate_authn_request(request):
         return render(request, 'onboarding_validate_md.html', context)
     return render(request, 'onboarding_validate_md.html', context)
 
+
 def onboarding_validate_ec(request):
-    context={}
+    context = {}
     if request.POST:
         url = request.POST.get("url")
         context = {"url": url}
         try:
-            validate_entity_configuration(url)
+            # TODO: here we have 2 http requests ...
+            ec = validate_entity_configuration(url)
+            context["ec"] = json.dumps(ec.payload, indent=4)
             messages.success(request, _('Validation Entity Configuration Successfully'))
         except Exception as e :
             messages.error(request, f"Validation Failed: {e}")

spid_cie_oidc/provider/exceptions.py

@@ -8,3 +8,7 @@ class InvalidSession(Exception):
 
 class RevokedSession(Exception):
     pass
+
+
+class ValidationException(Exception):
+    pass

spid_cie_oidc/provider/models.py

@@ -41,9 +41,9 @@ def set_sid(self, request):
         except Exception:
             logger.warning(f"Error setting SID for OidcSession {self}")
 
-    def revoke(self):
+    def revoke(self, destroy_session=True):
         session = Session.objects.filter(session_key=self.sid)
-        if session:
+        if session and destroy_session:
             session.delete()
         self.revoked = True
         iss_tokens = IssuedToken.objects.filter(session=self)
@@ -67,6 +67,7 @@ class Meta:
         verbose_name = "User Session"
         verbose_name_plural = "User Sessions"
         unique_together = ("client_id", "nonce")
+        ordering = ["-created"]
 
 
 class IssuedToken(TimeStampedModel):

spid_cie_oidc/provider/settings.py

@@ -15,6 +15,7 @@
 from spid_cie_oidc.onboarding.schemas.revocation_request import RevocationRequest
 from spid_cie_oidc.onboarding.schemas.token_requests import TokenAuthnCodeRequest, TokenRefreshRequest
 
+
 OIDCFED_PROVIDER_PROFILES_MEDIA = getattr(
     settings,
     "OIDCFED_PROVIDER_PROFILES_MEDIA",
@@ -23,7 +24,7 @@
             "logo": "svg/spid-logo-c-lb.svg"
         },
         "cie": {
-            "logo": "images/logo-cie-png"
+            "logo": "images/logo-cie.png"
         },
     },
 )
@@ -107,7 +108,8 @@
 OIDCFED_PROVIDER_SALT = getattr(settings, "OIDCFED_PROVIDER_SALT", "CHANGEME")
 OIDCFED_DEFAULT_PROVIDER_PROFILE = getattr(settings, "OIDCFED_PROVIDER_PROFILE", "spid")
 
-OIDCFED_PROVIDER_MAX_REFRESH = 1
+OIDCFED_PROVIDER_MAX_REFRESH = getattr(settings, "OIDCFED_PROVIDER_MAX_REFRESH", 1)
+OIDCFED_PROVIDER_HISTORY_PER_PAGE = getattr(settings, "OIDCFED_PROVIDER_HISTORY_PER_PAGE", 50)
 
 # lifetime of validity of an auth code
 OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE = getattr(
@@ -154,4 +156,4 @@
     # "document_details":  ,
     # "e_delivery_service":  ,
     "physical_phone_number": _("Phone number"),
-}
+}

spid_cie_oidc/provider/templates/op_base.html

@@ -42,7 +42,6 @@
 <a href="#">{% trans "OIDC Provider" %}</a>
 {% endblock header_center_org_name %}
 
-{% block main_menu %}{% endblock main_menu %}
 
 <!-- Organization description in Header -->
 {% block header_center_org_subname %}

spid_cie_oidc/provider/templates/op_user_consent.html

@@ -3,6 +3,23 @@
 {% load static %}
 {% load spid_cie_op %}
 
+{% block menu_links %}
+
+<li class="nav-item ">
+    <a class="nav-link {% if request.resolver_match.view_name == 'oidc_provider_consent' %}active{% endif %}" 
+    href="{% url 'oidc_provider_consent' %}">
+        <span>{% trans 'Home' %}</span>
+    </a>
+</li>
+<li class="nav-item">
+    <a class="nav-link {% if request.resolver_match.view_name == 'oidc_provider_access_history' %}active{% endif %}" 
+    href="{% url 'oidc_provider_access_history' %}">
+        <span>{% trans 'Access History' %}</span>
+    </a>
+</li>
+
+{% endblock menu_links %}
+
 {% block centered_container %}
 
 <div class="col-12">

spid_cie_oidc/provider/templates/op_user_history.html

@@ -0,0 +1,132 @@
+{% extends 'op_base.html' %}
+{% load i18n %}
+{% load static %}
+{% load spid_cie_op %}
+
+{% block menu_links %}
+
+<li class="nav-item ">
+    <a class="nav-link {% if request.resolver_match.view_name == 'oidc_provider_consent' %}active{% endif %}" 
+    href="{% url 'oidc_provider_consent' %}">
+        <span>{% trans 'Home' %}</span>
+    </a>
+</li>
+<li class="nav-item">
+    <a class="nav-link {% if request.resolver_match.view_name == 'oidc_provider_access_history' %}active{% endif %}" 
+    href="{% url 'oidc_provider_access_history' %}">
+        <span>{% trans 'Access History' %}</span>
+    </a>
+</li>
+
+{% endblock menu_links %}
+
+{% block centered_container %}
+
+<div class="col-12">
+
+    <div class="row row-header border-bottom no-border-bottom-xs">
+        <div class="wrap-container">
+            <div class="col-lg-6 col-md-6 col-sm-6 col-xs-6">
+                <h1>
+                    <a href="/" title="torna alla home">
+                        <img src="{% oidc_provider_logo %}" alt="SPID" class="w-100 p-3">
+                    </a>
+                </h1>
+            </div>
+            <div class="clear"></div>
+        </div>
+    </div>
+
+    <div class="row mt-4 ml-1">
+        <h4 class="text-left">
+            {% blocktrans %}
+                Access history of {{user}}
+            {% endblocktrans%}
+        </h4>
+    </div>
+
+    <div class="row mt-2 ml-1">
+        <div>
+            <p class="">
+                {% blocktrans%}
+                    Accesses logs and status are listed below, 
+                    you can revoke an access to a Relying Party by clicking on "revoke" button
+                {% endblocktrans %}
+            </p>
+        </div>
+    </div>
+
+        {% csrf_token %}
+
+        <table class="table table-striped">
+            <thead>
+                <tr>
+                    <th scope="col">#</th>
+                    <th scope="col">{% trans "Relying party" %}</th>
+                    <th scope="col">{% trans "Sid" %}</th>
+                    <th scope="col">{% trans "Created" %}</th>
+                    <th scope="col">{% trans "Revoked" %}</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for session in history %}
+                <tr>
+                    <th scope="row">{{ forloop.counter }}</th>
+                    <td>{{ session.client_id }}</td>
+                    <td>{{ session.sid}}</td>
+                    <td>{{ session.created | date:'Y-m-d H:i'}}</td>
+                    {% if session.revoked %}
+                        <td class="text-success">
+                            {{ session.revoked }}
+                        </td>
+                    {% else %}
+                        <td>
+                            <a href="{% url 'oidc_provider_revoke_session' %}?auth_code={{session.auth_code}}" 
+                                class="btn btn-secondary" role="button">{% trans "Revoke" %}</a>
+                        </td>
+                    {% endif %}
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+
+        <nav class="pagination-wrapper justify-content-center">
+            <ul class="pagination">
+                {% if history.has_previous %}
+                <li class="page-item">
+                    <a class="page-link" href="?page={{history.previous_page_number}}" tabindex="-1" aria-hidden="true">
+                        <svg class="icon icon-primary">
+                            <use href="{% static 'svg/sprite.svg' %}#it-chevron-left"></use>
+                        </svg>
+                        <span class="sr-only">{% trans "previous page" %}</span>
+                    </a>
+                </li>
+                {% endif %}
+                {% for i in history.paginator.page_range%}
+                {% if i == history.number %}
+                <li class="page-item active">
+                    <a class="page-link" href="?page={{ i }}" aria-current="page">
+                        <span class="d-inline-block d-sm-none">{% trans "page" %}</span>{{ i }}
+                    </a>
+                </li>
+                {% else %}
+                <li class="page-item"><a class="page-link" href="?page={{ i }}">{{ i }}</a></li>
+                {% endif %}
+                {% endfor %}
+
+                {% if history.has_next%}
+                <li class="page-item">
+                    <a class="page-link" href="?page={{history.next_page_number}}">
+                        <span class="sr-only">{% trans "next page" %}</span>
+                        <svg class="icon icon-primary">
+                            <use href="{% static 'svg/sprite.svg' %}#it-chevron-right"></use>
+                        </svg>
+                    </a>
+                </li>
+                {% endif %}
+
+            </ul>
+        </nav>
+</div>
+
+{% endblock %}