Merge pull request #265 from italia/wallet-ta

Wallet TA

.github/workflows/docker-compose.yaml

@@ -0,0 +1,41 @@
+  name: docker-compose test
+  on:
+    push:
+      branches: [ main ]
+    pull_request:
+      branches: [ "*" ]
+
+  jobs:
+    docker:
+      timeout-minutes: 10
+      runs-on: ubuntu-latest
+
+      steps:        
+
+        - name: Checkout
+          uses: actions/checkout@v3
+
+        - name: Where I am?
+          run: | 
+            pwd
+            ls -al 
+
+        - name: Setup example projects - folder creation
+          run: | 
+            cp -R examples example-docker 
+
+        - name: Setup example projects - strings replacement
+          run: |
+            bash docker-prepare.sh
+        
+        # permission denied -> obvious :-)
+        #- name: Adds fake hosts
+          #run: | 
+            #echo 127.0.0.1   localhost  trust-anchor.org relying-party.org cie-provider.org wallet.trust-anchor.org > /etc/hosts
+
+        - name: Start containers
+          run: docker-compose -f "docker-compose.yml" up -d --build
+
+        - name: Stop containers
+          if: always()
+          run: docker-compose -f "docker-compose.yml" down

.github/workflows/python-app.yml

@@ -40,18 +40,25 @@ jobs:
     - name: Install spid-cie-oidc
       run: |
         pip install -e .
+
     - name: Lint with flake8
       run: |
         # stop the build if there are Python syntax errors or undefined names
         flake8 ./spid_cie_oidc  --count --select=E9,F63,F7,F82 --show-source --statistics
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
         flake8 ./spid_cie_oidc --count --exit-zero --statistics --max-line-length 120
+
+    - name: Bandit Security Scan
+      run: |
+        bandit -r -x tests/ spid_cie_oidc/*
+
     - name: spid_cie_oidc unit tests
       run: |
         cp examples/federation_authority/federation_authority/settingslocal.py.example examples/federation_authority/federation_authority/settingslocal.py
         coverage erase
         coverage run examples/federation_authority/manage.py test spid_cie_oidc
         coverage report -m --skip-covered
+
     - name: spid_cie_oidc example data imports
       run: |
         cp examples/federation_authority/federation_authority/settingslocal.py.example examples/federation_authority/federation_authority/settingslocal.py
@@ -77,6 +84,3 @@ jobs:
         #fail_ci_if_error: true
         #path_to_write_report: ./codecov_report.txt
         # verbose: true
-    - name: Bandit Security Scan
-      run: |
-        bandit -r -x tests/ spid_cie_oidc/*

README.md

@@ -104,7 +104,7 @@ sudo docker-compose up
 
 Configure a proper DNS resolution for trust-anchor.org. In GNU/Linux we can configure it in `/etc/hosts`:
 ````
-127.0.0.1   localhost  trust-anchor.org relying-party.org cie-provider.org
+127.0.0.1   localhost  trust-anchor.org relying-party.org cie-provider.org wallet.trust-anchor.org
 ````
 
 Point your web browser to `http://relying-party.org:8001/oidc/rp/landing` and do your first oidc authentication.

docker-compose.yml

@@ -60,5 +60,22 @@ services:
         python3 manage.py loaddata dumps/example.json &&
         python3 manage.py runserver 0.0.0.0:8001"
 
+  wallet.trust-anchor.org:
+    image: ghcr.io/italia/spid-cie-oidc-django:latest
+    # build:
+      # context: .
+      # dockerfile: ./Dockerfile
+    ports:
+      - "8005:8005"
+    volumes:
+      - ./examples-docker/wallet_trust_anchor:/django-project
+    networks:
+      - oidcfed
+    command: |
+        bash -c "cd /django-project/ &&
+        python3 manage.py migrate &&
+        python3 manage.py loaddata dumps/ta-ec.json &&
+        python3 manage.py runserver 0.0.0.0:8005"
+
 networks:
   oidcfed:

docker-prepare.sh

@@ -13,12 +13,16 @@ rm -f $EXPFOLDER/federation_authority/db.sqlite3
 export SUB_AT='s,http://127.0.0.1:8000/,http://trust-anchor.org:8000/,g'
 export SUB_RP='s,http://127.0.0.1:8001/,http://relying-party.org:8001/,g'
 export SUB_OP='s,http://127.0.0.1:8002/,http://cie-provider.org:8002/,g'
+export SUB_WTA='s,http://127.0.0.1:8000/,http://wallet.trust-anchor.org:8005/,g'
 
 # Apply the rewrite rules:
 
 sed -e $SUB_AT -e $SUB_RP -e $SUB_OP examples/federation_authority/dumps/example.json > $EXPFOLDER/federation_authority/dumps/example.json
 sed -e $SUB_AT -e $SUB_RP -e $SUB_OP examples/federation_authority/federation_authority/settingslocal.py.example > $EXPFOLDER/federation_authority/federation_authority/settingslocal.py
 
+sed -e $SUB_WTA examples/wallet_trust_anchor/dumps/ta-ec.json > $EXPFOLDER/wallet_trust_anchor/dumps/ta-ec.json
+sed -e $SUB_WTA examples/wallet_trust_anchor/wallet_trust_anchor/settingslocal.py.example > $EXPFOLDER/wallet_trust_anchor/wallet_trust_anchor/settingslocal.py
+
 sed -e $SUB_AT -e $SUB_RP -e $SUB_OP examples/relying_party/dumps/example.json > $EXPFOLDER/relying_party/dumps/example.json
 sed -e $SUB_AT -e $SUB_RP -e $SUB_OP examples/relying_party/relying_party/settingslocal.py.example > $EXPFOLDER/relying_party/relying_party/settingslocal.py
 

docs/CREATE_A_FEDERATION.md

@@ -48,7 +48,7 @@ The JWKS if not submitted it will be created automatically.
 ````
 from spid_cie_oidc.entity.models import *
 
-TA_SUB = "http://testserver/"
+TA_SUB = "http://testserver"
 FA_METADATA = {
     "federation_entity": {
         "contacts": ["ops@localhost"],
@@ -85,7 +85,7 @@ Using different kind of metadata we can create OpenID Relying Parties or Provide
 Just rememeber, for these latter, to add also the authority_hints value as follow.
 
 ````
-authority_hints = ["http://testserver/"]
+authority_hints = ["http://testserver"]
 ````
 
 ### Create a Federation Descendant via API
@@ -108,8 +108,8 @@ In examples/provider configure a federation entity configuration as OP:
 ````
 Open _http://127.0.0.1:8002/admin_ in you web browser and in FederationEntityConfiguration create a new entry with the following data:
 
-- sub (eg. 'http://127.0.0.1:8002/oidc/op/')
-- authority hints, list of trust anchor(eg. ["http://127.0.0.1:8000/"])
+- sub (eg. 'http://127.0.0.1:8002/oidc/op')
+- authority hints, list of trust anchor(eg. ["http://127.0.0.1:8000"])
 - Jwks, private jwks, if you don't have one please create a pair of private using the OnBoarding tool `Create a JWK`.
 - metadata, url paths in metadata need to be mapped in `examples/relying_party/urls.py`, [here](https://github.com/italia/spid-cie-oidc-django/blob/dev/examples/provider/provider/urls.py#L48).
 
@@ -122,7 +122,7 @@ Access to the Federation Authority admin backend and configure your OP as a desc
 In the admin page of your Trust Anchor (http://127.0.0.1:8000/admin) create a descendant entity with the following paramenters:
 
 - OP name
-- sub (eg. 'http://127.0.0.1:8002/oidc/op/')
+- sub (eg. 'http://127.0.0.1:8002/oidc/op')
 - Jwks, public jwks available in the OP's entity configuration
 - is_active, must set to True
 
@@ -148,8 +148,8 @@ In examples/relying_party configure a federation entity configuration as RP:
 ````
 In the admin page (http://127.0.0.1:[port]/admin) create a FederationEntityConfiguration with at least these parameters:
 
-- sub (eg. 'http://127.0.0.1:[port]/oidc/rp/')
-- authority hints, list of trust anchor(eg. ["http://127.0.0.1:8000/"])
+- sub (eg. 'http://127.0.0.1:[port]/oidc/rp')
+- authority hints, list of trust anchor(eg. ["http://127.0.0.1:8000"])
 - Jwks, private jwks, If you don't have one please create a pair of private/public using the OnBoarding tool `Create a JWK`.
 - metadata, url paths in metadata need to be mapped in examples/relying_party/urls.py, [here](https://github.com/italia/spid-cie-oidc-django/blob/dev/examples/relying_party/relying_party/urls.py#L42).
 - is_active, must set to True
@@ -165,7 +165,7 @@ Access to the Federation Authority admin backend and configure your RP as descen
 In the admin page of your Trust Anchor (http://127.0.0.1:8000/admin) create a descendant entity with the following paramenters:
 
 - RP name
-- sub (eg. 'http://127.0.0.1:[port]/oidc/rp/')
+- sub (eg. 'http://127.0.0.1:[port]/oidc/rp')
 - Jwks, public jwks, the public jwk of the private configurd in the FederationEntityConfiguration of the RP.
 - is_active, must set to True
 

docs/FEDERATION_METADATA_POLICY.md

@@ -114,7 +114,7 @@ md = {
  ],
   "logo_uri":  "https://idp.it/statics/logo.svg",
   "organization_name": "SPID OIDC identity provider",
-  "op_policy_uri":  "https://idp.it/en/website/legal-information/",
+  "op_policy_uri":  "https://idp.it/en/website/legal-information",
   "request_parameter_supported": True,
   "request_uri_parameter_supported": True,
   "require_request_uri_registration": True,

docs/HISTORICAL_KEY_REGISTRY.md

@@ -0,0 +1,13 @@
+# Federation historical key registry
+
+If you have to revoke/expire a federation key of one of your entity you just have to:
+
+1. create a new `federationhistoricalkey` at `/admin/spid_cie_oidc_entity/federationhistoricalkey/`
+2. copy the Federation KID you want to instantiate and configure the `inactive_from` datetime
+3. optionally you can specify a revocation motivation if the key is not simply expired
+
+When you save, the correspondig jwk configured in your entity's `jwks_fed` JSON object will be removed 
+from your entity configuration and published in the historical registry
+
+![fhkr](images/fhkr.png)
+*The revoked key with the motivation of the revocation*.

docs/JWT_SIGNATURE_ENCRYPTION_API.md

@@ -34,7 +34,7 @@ payload=
     'code_challenge_method': 'S256', 
     'nonce': 'MBzGqyf9QytD28eupyWhSqMj78WNqpc2', 
     'prompt': 'consent login', 
-    'redirect_uri': 'https://rp.cie.it/callback1/', 
+    'redirect_uri': 'https://rp.cie.it/callback1', 
     'acr_values': 'CIE_L1 CIE_L2', 
     'claims': {
         'id_token': {
@@ -107,4 +107,4 @@ Create a jws as described above, then
 ````
 from spid_cie_oidc.entity.jwtse import unpad_jwt_payload
 unpad_jwt_payload(jws)
-````
+````

docs/technical_specifications/AUTHORITY.md

@@ -51,27 +51,27 @@ The entity's result set must have a descendant ordering with higher iat on top.
 A response example: 
 ````
 {
-    "iss": "https://registry.spid.gov.it/",
+    "iss": "https://registry.spid.gov.it",
     "iat": 1620050972,
     "entities": [
         {
-            "https://rp.example.it/spid/": {
+            "https://rp.example.it/spid": {
             "iat": 1588455866,
             },
             {
-            "https://rp.another.it/spid/": {
+            "https://rp.another.it/spid": {
             "iat": 1588455856,
             },
             {
-            "https://rp.it/spid/": {
+            "https://rp.it/spid": {
             "iat": 1588355866,
             },
         ... # many other entries
     ],
     "page": 1,
     "total_pages": 2,
     "total_entries": 189,
-    "next_page_path": "/federation_adv_list/?page=2",
+    "next_page_path": "/federation_adv_list?page=2",
     "prev_page_path": ""
 }
 ```` 
@@ -80,8 +80,8 @@ A response example:
 
 An entity MAY use the resolve endpoint to fetch resolved metadata and trust marks for an entity as seen/trusted by the resolver. 
 
-- `http://127.0.0.1:8000/resolve/?sub=http://127.0.0.1:8000/oidc/rp/&anchor=http://127.0.0.1:8000/&format=json`
-- `http://127.0.0.1:8000/resolve/?sub=http://127.0.0.1:8000/oidc/op/&anchor=http://127.0.0.1:8000/`
+- `http://127.0.0.1:8000/resolve?sub=http://127.0.0.1:8000/oidc/rp/&anchor=http://127.0.0.1:8000&format=json`
+- `http://127.0.0.1:8000/resolve?sub=http://127.0.0.1:8000/oidc/op/&anchor=http://127.0.0.1:8000`
 
 
 #### trust mark status

docs/technical_specifications/RELYING_PARTY.md

@@ -40,10 +40,10 @@ Example
 ````
 OIDCFED_IDENTITY_PROVIDERS = {
   "spid": {
-    "http://127.0.0.1:8000/oidc/op/" : OIDCFED_DEFAULT_TRUST_ANCHOR,
+    "http://127.0.0.1:8000/oidc/op" : OIDCFED_DEFAULT_TRUST_ANCHOR,
   },
   "cie": {
-    "http://127.0.0.1:8002/oidc/op/" : OIDCFED_DEFAULT_TRUST_ANCHOR,
+    "http://127.0.0.1:8002/oidc/op" : OIDCFED_DEFAULT_TRUST_ANCHOR,
   }
 }
 ````