Merge remote-tracking branch 'upstream/dev' into dev

.github/workflows/python-app.yml

@@ -39,18 +39,7 @@ jobs:
         if [ -f requirements-customizations.txt ]; then pip install -r requirements-customizations.txt; fi
         python -m pip install -U setuptools
         python -m pip install -e .
-        python -m pip install satosa
-    - name: Install MongoDB
-      run: |
-        sudo apt-get install -y gnupg wget
-        sudo wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
-        sudo echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
-        sudo apt-get update
-        sudo apt-get install -y mongodb-org
-    - name: Start MongoDB
-      run: |
-        sudo systemctl start mongod
-
+        python -m pip install "Pillow>=10.0.0,<10.1" "device_detector>=5.0,<6" "satosa>=8.4,<8.6" "jinja2>=3.0,<4"
     - name: Lint with flake8
       run: |
         # stop the build if there are Python syntax errors or undefined names
@@ -59,7 +48,7 @@ jobs:
         flake8 pyeudiw --count --exit-zero --statistics  --max-line-length 160
     - name: Tests
       run: |
-        pytest --cov
+        pytest --cov=pyeudiw -v --cov-report term --cov-fail-under=80 pyeudiw/tests/
     - name: Bandit Security Scan
       run: |
         bandit -r -x pyeudiw/tests* pyeudiw/*

.gitignore

@@ -160,8 +160,8 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 .idea/
 
-*.db
+env
 
-wordpress/*
-!wordpress/wp-content/
-wordpress/wp-content/plugins/onelogin-saml-sso/
+*/wordpress-plugin
+*/wordpress-theme
+*/__MACOSX

README-SATOSA.md

@@ -1,5 +1,7 @@
 # SATOSA backend setup
 
+Install extra dependency: `pip install pyeudiw[satosa]`
+
 
 1. Customize [example/satosa/pyeudiw_backend.yaml](example/satosa/pyeudiw_backend.yaml), then copy it in your satosa `plugins/backend` project folder. Example `plugins/backends/pyeudiw_backend.yaml`;
 2. Add `  - "plugins/backends/pyeudiw_backend.yaml"` in your SATOSA `proxy_conf.yaml` file, within the section `BACKEND_MODULES`;
@@ -8,3 +10,11 @@
 5. Customize  [example/satosa/disco.html](example/satosa/disco.html), then copy it in satosa static file folder. Example `example/static/disco.html`
 
 Then start the proxy.
+
+# Parameters
+
+TBD. A Markdown table with:
+
+ - parameter name
+ - description
+ - example value 

README.md

@@ -7,25 +7,25 @@
 [![Get invited](https://slack.developers.italia.it/badge.svg)](https://slack.developers.italia.it/)
 [![Join the #spid openid](https://img.shields.io/badge/Slack%20channel-%23spid%20openid-blue.svg)](https://developersitalia.slack.com/archives/C7E85ED1N/)
 
-EUDI Wallet Python toolchain is a suite of Python libraries designed to
+The EUDI Wallet Python toolchain is a suite of Python libraries designed to
 make it easy the implementation of an EUDI Wallet Relying Party according 
 to the [Italian specification](https://italia.github.io/eudi-wallet-it-docs/en/).
 
-> Please note: the scope of this project is giving tools and helpers to build a EUDI Wallet compliant to the national specs. All the components listed below are tailored to this scope.
+> Please note: the scope of this project is giving tools and helpers to build a EUDI Wallet compliant to the national specs. 
+All the components listed below are tailored to this scope.
 
 The toolchain contains the following components:
 
 | Name | Description |
 | :--- | --- |
-| __tools.jwk__ | Creation of JSON Web Key (JWK) according to [RFC7517](https://datatracker.ietf.org/doc/html/rfc7517). | refs to docs |
-| __tools.jwt__ | Creation of signed or encrypted JSON Web Token (JWT) according to [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519), [RFC7515](https://datatracker.ietf.org/doc/html/rfc7515) and [RFC7516](https://datatracker.ietf.org/doc/html/rfc7516) | refs to docs |
-| __tools.ui.qrcode__ | Creation of QRCodes | refs to docs |
+| __jwk__ | Creation of JSON Web Key (JWK) according to [RFC7517](https://datatracker.ietf.org/doc/html/rfc7517). | refs to docs |
+| __jwt__ | Creation of signed or encrypted JSON Web Token (JWT) according to [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519), [RFC7515](https://datatracker.ietf.org/doc/html/rfc7515) and [RFC7516](https://datatracker.ietf.org/doc/html/rfc7516) | refs to docs |
+| __tools.qrcode__ | Creation of QRCodes | refs to docs |
 | __oauth2.dpop__ | Tools for issuing and parsing DPoP artifacts, according to [OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop) | refs to docs |
 | __oauth2.par__ | Tools for issuing and parsing Pushed Authorization Requests, according to [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) | refs to docs |
 | __openid4vp.request__ | Tools for issuing [OpenID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) requests objects | refs to docs |
 | __openid4vp.redirect__ | Tools for parsing [OpenID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) responses | refs to docs |
 | __openid4vp.federation__ | OpenID Connect Federation Wallet Relying Party Entities and Trust Mechanisms | refs to docs |
-| __dif.presentation_exchange__ | [DiF Presentation Exchange 2.0](https://identity.foundation/presentation-exchange/) | refs to docs |
 | __satosa.openid4vp.backend__ | SATOSA Openid4VP Relying Party backend | refs to docs |
 
 
@@ -45,11 +45,11 @@ virtualenv -p python3 env
 source env/bin/activate
 ````
 
-Install using pip
+Install using pip:
 
 `pip install pyeudiw`
 
-Install using github
+Install using github:
 
 `pip install git+https://github.com/italia/eudi-wallet-it-python`
 

example/README.md

@@ -16,4 +16,31 @@ Run the stack
 sudo docker-compose up
 ````
 
-Point your web browser to `http://.....` to start your EUDI Wallet authentication to a Wordpress demo site.
+Point your web browser to `http://localhost:8080` to start your EUDI Wallet authentication to a Wordpress demo site.
+
+
+## First Installation
+
+Follow the on-screen instructions to complete the WordPress installation.
+1. You will be prompted to enter some basic information to complete the initial configuration of your WordPress site. This includes:
+    * Site Title: Enter a title for your WordPress site.
+    * Username: Choose a username for your administrator account.
+    * Password: Choose a strong password for your administrator account.
+    * Your Email: Enter an email address where you can receive notifications from your WordPress site.
+    * Search Engine Visibility: Choose whether or not you want search engines to index your site.
+2. Click on the “Install WordPress” button to complete the initial configuration. 
+
+## Installing the ItaliaWP2 Theme
+
+1. Log in to the WordPress dashboard at http://localhost:8080/wp-admin (replace 8080 with the port specified in the docker-compose.yml file) using your administrator credentials.
+2. In the sidebar, go to “Appearance” > “Themes” and activate the ItaliaWP2 theme that you just installed.
+
+After following these steps, your WordPress instance should be up and running with the ItaliaWP2 theme installed and activated.
+
+## Installing the OneLogin SAML SSO plugin
+
+1. Log in to the WordPress dashboard at http://localhost:8080/wp-admin (replace 8080 with the port specified in the docker-compose.yml file) using your administrator credentials.
+2. Under [plugins](http://localhost:8080/wp-admin/plugins.php), activate the plugin OneLogin SAML SSO.
+3. Configure the plugin OneLogin SAML SSO in the [settings tab](http://localhost:8080/wp-admin/options-general.php?page=onelogin_saml_configuration).
+
+To configure a generic SAML connection, you will need to enter appropriate values in OneLogin SAML SSO plugin settings. These include Identity Provider URL, Assertion Consumer Service URL, Single Logout Service URL, and other parameters specific to your SAML configuration.

example/docker-compose.yml

@@ -0,0 +1,59 @@
+version: '3.1'
+
+services:
+  database:
+    mem_limit: 2048m
+    image: mariadb:10.6.4-focal
+    restart: unless-stopped
+    ports:
+      - 3306:3306
+    env_file: .env
+    environment:
+      MYSQL_DATABASE: '${MYSQL_DATABASE}'
+      MYSQL_USER: '${MYSQL_USER}'
+      MYSQL_PASSWORD: '${MYSQL_PASSWORD}'
+      MYSQL_ROOT_PASSWORD: '${MYSQL_ROOT_PASSWORD}'
+    volumes:
+      - db-data:/var/lib/mysql
+    networks:
+      - wordpress-network
+
+  phpmyadmin:
+    depends_on:
+      - database
+    image: arm64v8/phpmyadmin:5.2.1-apache
+    restart: unless-stopped
+    ports:
+      - 8081:80
+    env_file: .env
+    environment:
+      PMA_HOST: database
+      MYSQL_ROOT_PASSWORD: '${MYSQL_ROOT_PASSWORD}'
+    networks:
+      - wordpress-network
+
+  wordpress:
+    depends_on:
+      - database
+    image: wordpress:5.4.0-apache
+    restart: unless-stopped
+    ports:
+      - 8080:80
+    env_file: .env
+    environment:
+      WORDPRESS_DB_HOST: database:3306
+      WORDPRESS_DB_NAME: '${MYSQL_DATABASE}'
+      WORDPRESS_DB_USER: '${MYSQL_USER}'
+      WORDPRESS_DB_PASSWORD: '${MYSQL_PASSWORD}'
+    volumes:
+      - ./wordpress-plugin/onelogin-saml-sso/:/var/www/html/wp-content/plugins/onelogin-saml-sso/
+      - ./wordpress-theme/italiawp2/:/var/www/html/wp-content/themes/italiawp2/
+    networks:
+      - wordpress-network
+
+volumes:
+  db-data:
+
+networks:
+  wordpress-network:
+    driver: bridge

example/docker-prepare.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+plugin_url="https://downloads.wordpress.org/plugin/onelogin-saml-sso.zip"
+theme_url="https://raw.githubusercontent.com/italia/design-wordpress-theme-italiaWP2/master/italiawp2.zip"
+plugin_folder="./wordpress-plugin"
+theme_folder="./wordpress-theme"
+
+mkdir -p $plugin_folder
+mkdir -p $theme_folder
+
+#download and unzip of plugin
+curl -O $plugin_url
+unzip onelogin-saml-sso.zip
+rm onelogin-saml-sso.zip
+
+# Move the content of the subfolder to the specified folder
+mv onelogin-saml-sso $plugin_folder
+
+# Remove the empty folder
+rmdir onelogin-saml-sso/onelogin-saml-sso
+rmdir onelogin-saml-sso
+
+#download and unzip of theme
+curl -O $theme_url
+unzip italiawp2.zip
+rm italiawp2.zip
+
+# Move the unzipped content to the specified folder
+mv italiawp2 $theme_folder

example/satosa/pyeudiw_backend.yaml

@@ -2,24 +2,65 @@ module: pyeudiw.satosa.backend.OpenID4VPBackend
 name: OpenID4VP
 
 config:
-  #Those are the endpoints listed on eudi wallet backend
+
+  ui:
+    static_storage_url: "https://localhost:9999"
+    template_folder: "templates" # project root
+    qrcode_template: "qrcode.html"
+    error_template: "error.html"
+    error_url: "https://localhost:9999/error_page.html"
 
   endpoints:
       pre_request: '/<name>/pre-request'
       redirect: '/<name>/redirect_uri'
       request: '/<name>/request_uri'
-      entity_configuration: '/<name>/entity_configuration'
-
-  error_url: "https://localhost:9999/error_page.html"
+      entity_configuration: '/<name>/.well-known/openid-federation'
 
   qrcode_settings:
     size: 100
     color: '#2B4375'
     logo_path: 
-    use_zlib: true
+    use_zlib: false
+
+  jwt_settings:
+    default_sig_alg: ES256 # or RS256
+    default_exp: 6         # minutes
+
+  authorization:
+    url_scheme: "eudiw" # eudiw://
+    scopes: 
+    - pid-sd-jwt:unique_id+given_name+family_name
+
+  federation:
+    metadata_type: "wallet_relying_party"
+    federation_authorities:
+        - https://localhost:8000
+    default_sig_alg: "RS256"
+
+    # private jwk
+    federation_jwks:
+      - kty: RSA
+        d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
+        e: AQAB
+        kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
+        n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
+        p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
+        q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
+
+    trust_marks: # todo
+    - ...
+
+  # private jwk
+  metadata_jwks: 
+  - crv: P-256
+    d: KzQBowMMoPmSZe7G8QsdEWc1IvR2nsgE8qTOYmMcLtc
+    kid: dDwPWXz5sCtczj7CJbqgPGJ2qQ83gZ9Sfs-tJyULi6s
+    kty: EC
+    x: TSO-KOqdnUj5SUuasdlRB2VVFSqtJOxuR5GftUTuBdk
+    y: ByWgQt1wGBSnF56jQqLdoO1xKUynMY-BHIDB3eXlR7
 
   #This is the configuration for the relaying party metadata
-  wallet_relying_party:
+  metadata:
     application_type: web
 
     #The following section contains all the algorithms supported for the encryption of response
@@ -37,16 +78,15 @@ config:
       - RS256
       - ES256
 
-    default_sign_alg: RS256
-
     #Various informations of the client
-    client_id: <base>/<name>
+    client_id: "<base_url>/<name>"
     client_name: Name of an example organization
     contacts:
       - [email protected]
     default_acr_values:
       - https://www.spid.gov.it/SpidL2
       - https://www.spid.gov.it/SpidL3
+
     default_max_age: 1111
 
     #The following section contains all the algorithms supported for the encryption of id token response
@@ -64,23 +104,15 @@ config:
       - RS256
       - ES256
 
-    jwks:
-      keys:
-        - e: AQAB
-          kid: YhNFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs
-          kty: RSA
-          n: "1Ta-sE \u2026"
-          use: sig
-          x5c:
-          - '...'
-      # time in ms
-      token_exp_delta: 600000
+    # loaded in the __init__
+    # jwks:
 
     #This section contains the details for presentation request
     presentation_definitions:
       - id: pid-sd-jwt:unique_id+given_name+family_name
         input_descriptors:
-        - format:
+        - id: pid-sd-jwt:unique_id+given_name+family_name
+          format:
             constraints:
               fields:
               - filter:
@@ -106,7 +138,6 @@ config:
               alg:
               - EdDSA
               - ES256
-          id: sd-jwt
       - id: mDL-sample-req
         input_descriptors:
         - format:
@@ -139,9 +170,10 @@ config:
           id: mDL
 
     redirect_uris:
-      - <base>/<name>/redirect_uri
+      - <base_url>/<name>/redirect_uri
     request_uris:
-      - <base>/<name>/request_uri
+      - <base_url>/<name>/request_uri
+
     require_auth_time: true
     subject_type: pairwise
 

example/satosa/templates/base.html

@@ -0,0 +1,14 @@
+{# templates/base.html #}
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>{% block title %}{{ title }}{% endblock title %}</title>
+</head>
+
+<body>
+  <h1>{{ test_name }} Results</h1>
+  {% block body %}{% endblock %}
+</body>
+</html>

example/satosa/templates/qr_code.html

@@ -0,0 +1,10 @@
+{% extends "base.html" %}
+
+
+{% block body %}
+
+<h1>Inquadra il qr code con il tuo smartphone</h1>
+
+<img src='data:image/svg+xml, {{ qrcode_svg }}'>
+
+{% endblock body %}