Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Satosa] Example pyeudiw_backend.yaml can be secured more about private keys configuration #254

Open
Zicchio opened this issue Aug 23, 2024 · 1 comment
Open

[Satosa] Example pyeudiw_backend.yaml can be secured more about private keys configuration #254

Zicchio opened this issue Aug 23, 2024 · 1 comment
Assignees
@elisanp
Labels
enhancement Something improving existing features
Milestone
0.9.1

Comments

@Zicchio
Copy link
Collaborator

Zicchio commented Aug 23, 2024

The example configuration file of the satosa backend, which is https://github.com/italia/eudi-wallet-it-python/blob/dev/example/satosa/pyeudiw_backend.yaml includes some hardcoded private keys.
For example, see this one.

eudi-wallet-it-python/example/satosa/pyeudiw_backend.yaml

Lines 89 to 96 in ac69db4

federation_jwks:
- kty: RSA
d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
e: AQAB
kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM

This is okay-ish for development purposes, but the project should eventually provide an example configuration file that states without ambiguity which configuration parameters are secrets that in a deploy process should be injected by a CI/CD pipeline, like this one.
https://github.com/italia/Satosa-Saml2Spid/blob/8272442b122ddf19d80ff8cfd00226f61d170d1a/example/plugins/backends/saml2_backend.yaml#L10-L11
This should be done so that uninformed developers do not accidentally go to production with an unsecure signing key
@italia italia deleted a comment Aug 23, 2024
@peppelinux peppelinux added this to the 0.9.1 milestone Aug 29, 2024
@peppelinux peppelinux added the enhancement Something improving existing features label Aug 29, 2024
@peppelinux
Copy link
Member

We should move the entire backend configuration using !ENV to facilitate configuration using docker compose and its env context

@elisanp elisanp changed the title [Satosa] Example pyeudiw_backend.yaml is not secure-by-design [Satosa] Example pyeudiw_backend.yaml can be secured more about private keys configuration Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elisanp elisanp

Labels
enhancement Something improving existing features
Projects
EUDI WALLET IT Python
Status: Todo
Milestone
0.9.1
Development

No branches or pull requests
3 participants
@peppelinux @Zicchio @elisanp