Merge pull request #150 from italia/dev

OP cie configuration (#149)

build_pypi.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+PROJ_NAME=$(ls | grep *.egg-info | sed -e 's/.egg-info//g') ; rm -R build/ dist/*  *.egg-info ; pip uninstall $PROJ_NAME ; python setup.py build sdist
+twine upload dist/*

docs/technical_specifications/RELYING_PARTY.md

@@ -37,8 +37,12 @@ Regarding django user management
 Example
 ````
 OIDCFED_IDENTITY_PROVIDERS = {
+  "spid": {
     "http://127.0.0.1:8000/oidc/op/" : OIDCFED_DEFAULT_TRUST_ANCHOR,
-    "http://127.0.0.1:8002/" : OIDCFED_DEFAULT_TRUST_ANCHOR
+  },
+  "cie": {
+    "http://127.0.0.1:8002/oidc/op/" : OIDCFED_DEFAULT_TRUST_ANCHOR,
+  }
 }
 ````
 
@@ -68,27 +72,68 @@ RP_PROVIDER_PROFILES = getattr(
         "spid": {
             "authorization_request": {"acr_values": AcrValuesSpid.l2.value},
             "rp_metadata": RPMetadataSpid,
-            "authn_response": AuthenticationResponse
+            "authn_response": AuthenticationResponse,
+            "token_response": TokenResponse
         },
         "cie": {
             "authorization_request": {"acr_values": AcrValuesCie.l2.value},
             "rp_metadata": RPMetadataCie,
-            "authn_response": AuthenticationResponseCie
+            "authn_response": AuthenticationResponseCie,
+            "token_response": TokenResponse
         },
     },
 )
 ````
 - `RP_USER_LOOKUP_FIELD`, which user attribute will be used to link to a preexisting account, example: `RP_USER_LOOKUP_FIELD = "fiscal_number"`.
 - `RP_USER_CREATE`, if a newly logged user can be created, example: `RP_USER_CREATE = True`
+- `RP_REQUEST_CLAIM_BY_PROFILE`
 
+Example
+````
+RP_REQUEST_CLAIM_BY_PROFILE = {
+    "spid": SPID_REQUESTED_CLAIMS,
+    "cie": CIE_REQUESTED_CLAIMS,
+}
+
+SPID_REQUESTED_CLAIMS = getattr(
+    settings,
+    "RP_REQUIRED_CLAIMS",
+    {
+        "id_token": {
+            "https://attributes.spid.gov.it/familyName": {"essential": True},
+            "https://attributes.spid.gov.it/email": {"essential": True},
+        },
+        "userinfo": {
+            "https://attributes.spid.gov.it/name": None,
+            "https://attributes.spid.gov.it/familyName": None,
+            "https://attributes.spid.gov.it/email": None,
+            "https://attributes.spid.gov.it/fiscalNumber": None,
+        },
+    },
+)
+
+CIE_REQUESTED_CLAIMS = getattr(
+    settings,
+    "RP_REQUIRED_CLAIMS",
+    {
+        "id_token": {"family_name": {"essential": True}, "email": {"essential": True}},
+        "userinfo": {
+            "given_name": None,
+            "family_name": None,
+            "email": None,
+        },
+    },
+)
+````
 
 ## OIDC Federation CLI
 
-`fetch_openid_providers` build the Trust Chains for each `OIDCFED_IDENTITY_PROVIDERS`. 
+`fetch_openid_providers` build the Trust Chains for each `OIDCFED_IDENTITY_PROVIDERS`. Flag '-f' force trust chian renew even if is still valid.
 ````
 examples/federation_authority/manage.py fetch_openid_providers --start -f
 
 ````
+Flag '-f' force trust chian renew.
 
 ## Usage
 

examples/federation_authority/federation_authority/settingslocal.py.example

@@ -22,8 +22,12 @@ OIDCFED_TRUST_ANCHORS = [OIDCFED_DEFAULT_TRUST_ANCHOR]
 
 # for RP only
 OIDCFED_IDENTITY_PROVIDERS = {
+  "spid": {
     "http://127.0.0.1:8000/oidc/op/" : OIDCFED_DEFAULT_TRUST_ANCHOR,
-    "http://127.0.0.1:8002/" : OIDCFED_DEFAULT_TRUST_ANCHOR
+  },
+  "cie": {
+    "http://127.0.0.1:8002/oidc/op/" : OIDCFED_DEFAULT_TRUST_ANCHOR,
+  }
 }
 
 OIDCFED_REQUIRED_TRUST_MARKS = []

spid_cie_oidc/__init__.py

@@ -1 +1 @@
-__version__ = "0.4.13"
+__version__ = "0.4.14"

spid_cie_oidc/entity/schemas/jwks.py

@@ -42,9 +42,9 @@ def validate_e(cls, e_value, values):
 
 
 class JwkCie(Jwk):
-    x: str  # Base64url-encoded
-    y: str  # Base64url-encoded
-    crv: Literal["P-256", "P-384", "P-521"]
+    x: Optional[str]  # Base64url-encoded
+    y:  Optional[str]  # Base64url-encoded
+    crv:  Optional[Literal["P-256", "P-384", "P-521"]]
 
     @validator("x")
     def validate_x(cls, x_value, values):

spid_cie_oidc/onboarding/forms.py

@@ -46,7 +46,7 @@ class OnboardingRegistrationForm(forms.Form):
     )
 
     public_jwks = forms.JSONField(
-        initial=dict,
+        initial=list,
         label=_("public jwks of the entities"),
         error_messages={"required": _("Enter the public jwks of the entities")},
         validators=[validate_public_jwks],

spid_cie_oidc/onboarding/migrations/0005_alter_onboardingregistration_status.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.0.2 on 2022-03-16 16:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('spid_cie_oidc_onboarding', '0004_alter_onboardingregistration_public_jwks'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='onboardingregistration',
+            name='status',
+            field=models.CharField(choices=[('onboarded', 'onboarded'), ('failed', 'failed'), ('processing', 'processing'), ('acquired', 'acquired')], default='acquired', max_length=33),
+        ),
+    ]

spid_cie_oidc/onboarding/templates/base.html

@@ -122,7 +122,9 @@ <h3 class="no_toc">VALIDATORS</h3>
                         <li><a class="list-item" href="{% url 'oidc_onboarding_validate_authn_request_jwt'%}?provider_profile=spid">
                             <span>{% trans "Validate Authn Request Spid" %}</span></a></li> 
                         <li><a class="list-item" href="{% url 'oidc_onboarding_validate_authn_request_jwt'%}?provider_profile=cie">
-                            <span>{% trans "Validate Authn Request Cie" %}</span></a></li> 
+                            <span>{% trans "Validate Authn Request Cie" %}</span></a></li>
+                        <li><a class="list-item" href="{% url 'oidc_onboarding_validate_ec' %}">
+                            <span>{% trans "Validate Entity Configuration" %}</span></a></li>  
                         <li><a class="list-item" href="{% url 'oidc_onboarding_validating_trustmark' %}">
                             <span>{% trans "Trust mark validation" %}</span></a></li> 
 

spid_cie_oidc/onboarding/templates/onboarding_validate_ec.html

@@ -0,0 +1,33 @@
+<!-- Extends default Bootstrap Unical Italia template -->
+{% extends 'base.html' %}
+{% load i18n %}
+
+{% block centered_container %}
+<div class="col-12 pl-lg-4">
+    <h4 class="text-left">
+        {% trans "Validate entity configuration" %}
+    </h4>
+
+    <p class="pt-4 mb-0">
+        {% trans "enter a url of entity to check if it is compatible" %}
+    </p>
+
+    <form method="post" action="">
+        {% csrf_token %}
+        <div class="form-row">
+            <div class="col-12 form-group my-3">
+            <label for="id_url">
+                <span class="form-label-content">
+                    url of the entity
+                </span>
+            </label>
+
+            <input type="url" class="form-control" id="id_url" name="url" value="{{url}}">
+
+            </div>
+            <span for="id_url" class="text-danger"></span>
+        </div>
+        <input type="submit" name="confirm" class="btn btn-lg btn-primary btn-block" value="{% trans 'validate' %}" />
+    </form>
+</div>
+{% endblock %}

spid_cie_oidc/onboarding/templates/onboarding_validate_md.html

@@ -20,7 +20,7 @@ <h4 class="text-left">
             <div class="col-12 form-group my-3">
                 <label for="id_md">
                     <span class="form-label-content">
-                        metadata
+                        {{field_name}}
                     </span>
                 </label>
                 <textarea id="id_md" rows="14" name="md">{{ md }}</textarea>

spid_cie_oidc/onboarding/urls.py

@@ -35,6 +35,7 @@
     onboarding_schemas_token,
     onboarding_schemas_jwt_client_assertion,
     onboarding_validate_authn_request,
+    onboarding_validate_ec,
 )
 
 _PREF = getattr(settings, "OIDC_PREFIX", "")
@@ -130,4 +131,9 @@
         onboarding_validate_authn_request,
         name="oidc_onboarding_validate_authn_request_jwt",
     ),
+    path(
+        f"{_PREF}onboarding/tools/validate-ec",
+        onboarding_validate_ec,
+        name="oidc_onboarding_validate_ec",
+    ),
 ]

spid_cie_oidc/onboarding/views.py

@@ -21,6 +21,7 @@
 
 from spid_cie_oidc.entity.jwtse import unpad_jwt_head, unpad_jwt_payload, verify_jws
 from spid_cie_oidc.authority.views import trust_mark_status, resolve_entity_statement
+from spid_cie_oidc.authority.validators import validate_entity_configuration
 from spid_cie_oidc.onboarding.schemas.authn_requests import AuthenticationRequestSpid
 from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationResponse
 from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationErrorResponse
@@ -190,7 +191,8 @@ def onboarding_validate_md(request):
         "metadata_type": metadata_type,
         "provider_profile": provider_profile,
         "title": title,
-        "description": description
+        "description": description,
+        "field_name":"metadata"
     }
     if request.POST.get('md'):
         md = request.POST['md']
@@ -199,6 +201,7 @@ def onboarding_validate_md(request):
             "provider_profile": provider_profile,
             "title": title,
             "description":description,
+            "field_name":"metadata",
             "md": md
         }
         md_str_double_quote = md.replace("'", '"')
@@ -228,14 +231,16 @@ def onboarding_validate_authn_request(request):
     context = {
         "provider_profile": provider_profile,
         "title": title,
-        "description": description
+        "description": description,
+        "field_name":"jwt"
     }
     if request.POST.get('md'):
         jwt_str = request.POST['md']
         context = {
             "provider_profile": provider_profile,
             "title": title,
             "description": description,
+            "field_name":"jwt",
             "md": jwt_str
         }
         payload = unpad_jwt_payload(jwt_str)
@@ -248,6 +253,19 @@ def onboarding_validate_authn_request(request):
         return render(request, 'onboarding_validate_md.html', context)
     return render(request, 'onboarding_validate_md.html', context)
 
+def onboarding_validate_ec(request):
+    context={}
+    if request.POST:
+        url = request.POST.get("url")
+        context = {"url": url}
+        try:
+            validate_entity_configuration(url)
+            messages.success(request, _('Validation Entity Configuration Successfully'))
+        except Exception as e :
+            messages.error(request, f"Validation Failed: {e}")
+            return render(request, 'onboarding_validate_ec.html', context)
+    return render(request, 'onboarding_validate_ec.html', context)
+
 
 def onboarding_decode_jwt(request):
     context = {

spid_cie_oidc/provider/migrations/0006_oidcsession_acr.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.0.2 on 2022-03-16 16:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('spid_cie_oidc_provider', '0005_oidcsession_sid'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='oidcsession',
+            name='acr',
+            field=models.CharField(default='https://www.spid.gov.it/SpidL2', max_length=1024),
+            preserve_default=False,
+        ),
+    ]

spid_cie_oidc/provider/models.py

@@ -31,6 +31,7 @@ class OidcSession(TimeStampedModel):
 
     revoked = models.BooleanField(default=False)
     auth_code = models.CharField(max_length=2048, blank=False, null=False)
+    acr = models.CharField(max_length=1024, blank=False, null=False)
 
     def set_sid(self, request):
         try:

spid_cie_oidc/provider/settings.py

@@ -6,6 +6,8 @@
     OPMetadataSpid
 )
 from spid_cie_oidc.onboarding.schemas.authn_requests import (
+    AcrValuesCie,
+    AcrValuesSpid,
     AuthenticationRequestCie,
     AuthenticationRequestSpid
 )
@@ -103,7 +105,6 @@
 )
 
 OIDCFED_PROVIDER_SALT = getattr(settings, "OIDCFED_PROVIDER_SALT", "CHANGEME")
-
 OIDCFED_DEFAULT_PROVIDER_PROFILE = getattr(settings, "OIDCFED_PROVIDER_PROFILE", "spid")
 
 OIDCFED_PROVIDER_MAX_REFRESH = 1
@@ -114,6 +115,10 @@
     "OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE",
     10
 )
+OIDCFED_PROVIDER_PROFILES_DEFAULT_ACR = dict(
+    spid = AcrValuesSpid.l2.value,
+    cie = AcrValuesCie.l2.value
+)
 
 OIDCFED_ATTRNAME_I18N = {
     # SPID
@@ -149,4 +154,4 @@
     # "document_details":  ,
     # "e_delivery_service":  ,
     "physical_phone_number": _("Phone number"),
-}
+}

spid_cie_oidc/provider/templates/op_base.html

@@ -39,7 +39,7 @@
 
 <!-- Organization name in Header -->
 {% block header_center_org_name %}
-<a href="{% url 'spid_cie_rp_landing'%}">{% trans "OIDC Provider" %}</a>
+<a href="#">{% trans "OIDC Provider" %}</a>
 {% endblock header_center_org_name %}
 
 {% block main_menu %}{% endblock main_menu %}

spid_cie_oidc/provider/tests/test_03_refresh_token.py

@@ -69,7 +69,7 @@ def setUp(self):
             user=User.objects.create(username = "username"),
             user_uid="",
             nonce="",
-            authz_request={"scope": "openid", "nonce": "123"},
+            authz_request={"scope": "openid", "nonce": "123", "acr_values":["https://www.spid.gov.it/SpidL2"]},
             client_id="",
             auth_code="code",
         )

spid_cie_oidc/provider/tests/test_07_fetch_relying_parties.py

@@ -66,7 +66,7 @@ def exec(self, cmd_name:str, *args, **kwargs):
             **kwargs,
         )
 
-    @override_settings(OIDCFED_IDENTITY_PROVIDERS = {"http://127.0.0.1:8000/oidc/op/" :"http://testserver/"})
+    @override_settings(OIDCFED_IDENTITY_PROVIDERS = {"spid":{"http://127.0.0.1:8000/oidc/op/" :"http://testserver/"}, "cie":{}})
     @override_settings(OIDCFED_TRUST_ANCHOR = [])
     def test_fetch_rp(self):
         self.patcher = patch(

spid_cie_oidc/provider/views/__init__.py

@@ -237,7 +237,8 @@ def get_id_token(
             "at_hash": left_hash(jwt_at, "HS256"),
             "c_hash": left_hash(authz.auth_code, "HS256"),
             "aud": [authz.client_id],
-            "iss": iss_sub
+            "iss": iss_sub,
+            "acr": authz.acr
         }
         claims = self.get_id_token_claims(authz)
         if claims: