Merge pull request #134 from italia/dev

0.7.0

.github/workflows/python-app.yml

@@ -10,7 +10,22 @@ on:
     branches: [ "*" ]
 
 jobs:
-  build:
+
+  pre_job:
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - id: skip_check
+        uses: fkirc/[email protected]
+        with:
+          skip_after_successful_duplicate: 'true'
+          same_content_newer: 'true'
+
+  main_job:
+
+    needs: pre_job
+    if: needs.pre_job.outputs.should_skip != 'true'
 
     runs-on: ubuntu-latest
 

README-SATOSA.md → README.SATOSA.md

@@ -8,15 +8,16 @@ To install the OpenID4VP SATOSA backend you just need to:
 4. include the backend configuration in your satosa configuration
 5. customize the file `internal_attributes.yaml` used in your deployment, enabling the `openid4vp` protocol. See [example/satosa/internal_attributes.yaml](example/satosa/internal_attributes.yaml) as example. 
 6. start Satosa.
-7. configure an httpd fronted such NginX, see `uwsgi_setup` folder within the Satosa-Saml2Spid or integrate any additional parameter to your configuration, according to the `uwsgi_setup` examples distributes in Satosa-Saml2Spid.
 
 ## Backend configuration
 
 1. Customize [example/satosa/pyeudiw_backend.yaml](example/satosa/pyeudiw_backend.yaml), then copy it in your satosa `plugins/backend` project folder. Example `plugins/backends/pyeudiw_backend.yaml`;
 2. Add `  - "plugins/backends/pyeudiw_backend.yaml"` in your SATOSA `proxy_conf.yaml` file, within the section `BACKEND_MODULES`;
 3. Add `  - "plugins/microservices/disco_to_target_issuer.yaml"` and `  - "plugins/microservices/target_based_routing.yaml"` in your SATOSA `proxy_conf.yaml` file, within the section `MICRO_SERVICES`;
 4. In `plugins/microservices/target_based_routing.yaml` please add `    "https://eudi.wallet.gov.it": "OpenID4VP"`
-5. Customize  [example/satosa/disco.html](example/satosa/disco.html), then copy it in satosa static file folder. Example `example/static/disco.html`
+5. Customize [example/satosa/static/disco.html](example/satosa/static/disco.html), then copy it in satosa static file folder. Example `example/static/static/disco.html`
+6. Customize [example/satosa/templates/*.html](example/satosa/templates/*.html), then copy it in satosa templates file folder (the path your have configured in your `pyeudiw_backend.yaml` file).
+7. Customize [example/satosa/internal_attributes.yaml](example/satosa/internal_attributes.yaml), then copy it the path your have configured in your `proxy_conf.yaml` file).
 
 ### Backend Configuration Parameters
 
@@ -28,6 +29,7 @@ TBD. A Markdown table with:
 
 ## NginX
 
-TBD.
+Configure an httpd fronted such NginX, an example is available within the `uwsgi_setup` folder of [Satosa-Saml2Spid](https://github.com/italia/Satosa-Saml2Spid/tree/master/example/uwsgi_setup) 
+remember to customize and add any additional parameter to your preferred httpd configuration.
 
 

README.md

@@ -9,7 +9,7 @@
 
 The EUDI Wallet Python toolchain is a suite of Python libraries designed to
 make it easy the implementation of an EUDI Wallet Relying Party according 
-to the [Italian Wallet implementation profile](https://italia.github.io/eudi-wallet-it-docs/en/).
+to the [Italian Wallet implementation profile](https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/).
 
 The toolchain contains the following components:
 
@@ -77,7 +77,7 @@ The example project is a docker-compose that runs a demo composed by the followi
 - Wordpress with SAML2 support and Bootstrap Italia template preregistered to the IAM Proxy.
 - [Satosa-Saml2Spid](https://github.com/italia/Satosa-Saml2Spid) IAM Proxy with a preconfigured OpenID4VP backend.
 
-Please read [this README](example/README.md) to get a fully working demo setup.
+Please read [this README](example/README.Wordpress.md) to get a fully working Wordpress setup with SAML2 support.
 
 
 ## SatoSa configuration
@@ -87,7 +87,9 @@ proxy solution that allows interoperability between different entities that impl
 authentication protocols such as SAML2, OpenID Connect and OAuth2. This project offers a SaToSa
 backend to enable the OpenID4VP protocol. 
 
-Please read  [README-SATOSA.md](README-SATOSA.md) for details.
+<img src="docs/gallery/iam-proxy.svg" width="512">
+
+Please read this [README](README.SATOSA.md) any details about how to configure SaToSa with the OpenID4VP Relying Party backend.
 
 
 ## Contribute

example/satosa/integration_test/main.py

@@ -9,9 +9,13 @@
     leaf_cred,
     leaf_cred_jwk,
     leaf_wallet_jwk,
+    leaf_wallet,
+    leaf_wallet_signed,
     trust_chain_issuer,
     trust_chain_wallet,
-    ta_ec
+    ta_ec,
+    ta_ec_signed,
+    leaf_cred_signed
 )
 
 from pyeudiw.jwk import JWK
@@ -30,16 +34,22 @@
 from saml2_sp import saml2_request, IDP_BASEURL
 from sd_jwt.holder import SDJWTHolder
 
-from settings import CONFIG_DB, RP_EID, WALLET_INSTANCE_ATTESTATION, its_trust_chain
+from settings import (
+    CONFIG_DB, 
+    RP_EID, 
+    WALLET_INSTANCE_ATTESTATION, 
+    its_trust_chain
+)
 
 # put a trust attestation related itself into the storage
 # this then is used as trust_chain header paramenter in the signed
 # request object
 db_engine_inst = DBEngine(CONFIG_DB)
 
+# STORAGE ####
 db_engine_inst.add_trust_anchor(
-    entity_id=ta_ec['iss'],
-    entity_configuration=ta_ec,
+    entity_id = ta_ec['iss'],
+    entity_configuration = ta_ec_signed,
     exp=EXP
 )
 
@@ -48,7 +58,18 @@
     attestation=its_trust_chain,
     exp=datetime.datetime.now().isoformat()
 )
-# End RP trust chain
+
+db_engine_inst.add_or_update_trust_attestation(
+    entity_id=leaf_wallet['iss'],
+    attestation=leaf_wallet_signed,
+    exp=datetime.datetime.now().isoformat()
+)
+
+db_engine_inst.add_or_update_trust_attestation(
+    entity_id=leaf_cred['iss'],
+    attestation=leaf_cred_signed,
+    exp=datetime.datetime.now().isoformat()
+)
 
 req_url = f"{saml2_request['headers'][0][1]}&idp_hinting=wallet"
 headers_mobile = {
@@ -72,17 +93,8 @@
                         )[1][:-1]
     )
 
-# STORAGE ####
-# Put the trust anchor EC and the trust chains related to the credential issuer and the wallet provider in the trust storage
-db_engine_inst.add_trust_anchor(
-    ta_ec['iss'],
-    ta_ec,
-    datetime.datetime.now().isoformat()
-)
-
 WALLET_PRIVATE_JWK = JWK(leaf_wallet_jwk.serialize(private=True))
 WALLET_PUBLIC_JWK = JWK(leaf_wallet_jwk.serialize())
-# PRIVATE_JWK = leaf_wallet_jwk.serialize(private=True)
 jwshelper = JWSHelper(WALLET_PRIVATE_JWK)
 dpop_wia = jwshelper.sign(
     WALLET_INSTANCE_ATTESTATION,
@@ -175,8 +187,10 @@
     aud=str(uuid.uuid4()),
     sign_alg=DEFAULT_SIG_KTY_MAP[WALLET_PRIVATE_JWK.key.kty],
     holder_key=(
-        import_pyca_pri_rsa(WALLET_PRIVATE_JWK.key.priv_key,
-                            kid=WALLET_PRIVATE_JWK.kid)
+        import_pyca_pri_rsa(
+            WALLET_PRIVATE_JWK.key.priv_key,
+            kid=WALLET_PRIVATE_JWK.kid
+        )
         if sd_specification.get("key_binding", False)
         else None
     )

example/satosa/pyeudiw_backend.yaml

@@ -78,12 +78,12 @@ config:
         - http://127.0.0.1:8000
     default_sig_alg: "RS256"
     federation_entity_metadata:
-      - organization_name: Developers Italia SATOSA OpenID4VP backend
-      - homepage_uri: https://developers.italia.it
-      - policy_uri: https://developers.italia.it
-      - tos_uri: https://developers.italia.it
-      - logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
-    
+        organization_name: Developers Italia SATOSA OpenID4VP backend
+        homepage_uri: https://developers.italia.it
+        policy_uri: https://developers.italia.it
+        tos_uri: https://developers.italia.it
+        logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
+
     # private jwk
     federation_jwks:
       - kty: RSA
@@ -149,7 +149,7 @@ config:
     authorization_signed_response_alg: <jwt.sig_alg_supported>
 
     #Various informations of the client
-    client_id: <base_url>/<name>
+    client_id: "<base_url>/<name>"
     client_name: Name of an example organization
     contacts:
       - [email protected]
@@ -169,7 +169,7 @@ config:
 
     #This section contains the details for presentation request
     presentation_definitions:
-      - id: pid
+      - id: pid-sd-jwt:unique_id+given_name+family_name
         input_descriptors:
         - id: pid-sd-jwt:unique_id+given_name+family_name
           format:

example/satosa/static/css/style.css

@@ -290,7 +290,7 @@
 }
 
 .qr-code-title{
-    font-size: 30px;
+    font-size: 24px;
     font-weight: 600;
 }
 
@@ -391,5 +391,9 @@
 }
 
 .qr-code-text{
-    font-size: 15px;
+    font-size: 18px;
+}
+
+.btn {
+    font-size: 18px;
 }

example/satosa/static/disco.html

@@ -7,12 +7,11 @@
     <meta name="description" content="Accedi">
     <link rel="shortcut icon" href="/static/spid/favicon-32x32.png">
 
-    <script src="/static/spid/spid-idps.js"></script>
-    <link rel="stylesheet" href="/static/bootstrap-italia/css/bootstrap-italia.min.css">
-
     <!-- <link rel="stylesheet" href="/static/spid/bootstrap-italia.css"> -->
     <!-- <link type="text/css" rel="stylesheet" href="/static/eidas/css/eidas-sp-access-button.min.css"> -->
-
+
+    <script src="/static/spid/spid-idps.js"></script>
+    <link rel="stylesheet" href="/static/bootstrap-italia/css/bootstrap-italia.min.css">
     <link rel="stylesheet" href="/static/css/style.css">
     <link type="text/css" rel="stylesheet" href="/static/spid/spid-sp-access-button.css">
   </head>
@@ -45,8 +44,7 @@ <h3>IT Wallet</h3>
                             eidas-idp-button="#eidas-idp-button-xlarge-post" 
                             aria-haspopup="false" 
                             aria-expanded="false" 
-                            style="font-size: 21px;"
-                            onclick="loadIframe(this.href); return false;">
+                            style="font-size: 21px;">
                             <span><img class="icon buttonicon" src="/static/wallet-it/wallet_icon.svg" alt="Logo IT Wallet" /></span>
                             <span>Accedi con IT Wallet</span>
                           </a>