Merge pull request #30 from niscy-eudiw/branch-preprod

Update Readme, Requirements and sonar workflow

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @eu-digital-identity-wallet/niscy-admins

.github/workflows/dependencycheck.yml

@@ -0,0 +1,29 @@
+name: SCA - Dependency-Check
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Dependency_check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Depcheck Action - SCA
+        uses: dependency-check/Dependency-Check_Action@main
+        id: Depcheck
+        with:
+          project: '${{ github.repository }}'
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # this is the default, no need to specify unless you wish to override it
+          args: >
+            --enableRetired
+            --enableExperimental
+      - name: Upload results - SCA
+        uses: actions/upload-artifact@master
+        with:
+           name: Depcheck report
+           path: ${{github.workspace}}/reports

.github/workflows/gitleaks.yml

@@ -0,0 +1,27 @@
+name: Secret Scanning - Gitleaks
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Secret-Scanning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks from container
+        run: |
+            docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks 
+            docker start GL
+            docker exec GL git config --global --add safe.directory '/src'
+            docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
+        continue-on-error: true
+
+      - name: upload_artifacts   
+        uses: actions/upload-artifact@v3
+        with:
+          name: Gitleaks Artifact Upload
+          path:  ${{ github.workspace }}/gitleaks-report.json

.github/workflows/sonar.yml

@@ -0,0 +1,62 @@
+name: SAST - SonarCloud
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+
+jobs:
+  check_secret:
+    name: Check secret presence
+    runs-on: ubuntu-latest
+    steps:
+    - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi
+    env:
+       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  P_WD_analysis:
+    name: SAST - SonarCloud - Push/WD analysis
+    needs: check_secret
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
+    steps:
+      - name: Checkout action
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: setup projectkey
+        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
+      - name: SonarCloud Scan - Action
+        uses: SonarSource/sonarcloud-github-action@master
+        with:
+            args: >
+                -Dsonar.organization=${{ github.repository_owner }}
+                -Dsonar.projectKey=${{ env.PROJECTKEY }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  PR_analysis:
+    name: SAST- SonarCloud - PR analysis
+    needs: check_secret
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'pull_request_target')
+    steps:
+      - name: Checkout action
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: setup projectkey
+        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
+      - name: SonarCloud Scan - Action
+        uses: SonarSource/sonarcloud-github-action@master
+        with:
+            args: >
+                -Dsonar.organization=${{ github.repository_owner }}
+                -Dsonar.projectKey=${{ env.PROJECTKEY }}
+                -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+                -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
+                -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

api_docs/add_credential.md

@@ -1,6 +1,6 @@
 # Configuration
 
-This document specifies the changes needed to add a new credential to the EUDIW Issuer.
+This document specifies the changes needed to add a new attestation/credential to the EUDIW Issuer.
 We will use a generic loyalty card credential as an example for this configuration.
 
 ## 1. Metadata Configuration
@@ -9,7 +9,7 @@ Add a new json file with the credential metadata to ```app/metadata_config/crede
 
 For this example we will use ```app/metadata_config/credentials_supported/loyalty_mdoc.json```
 
-Example loyalty card metadata for mso_mdoc format (ISO 18013-5):
+Example loyalty card metadata for mso_mdoc format (ISO 18013-5), with namespace `eu.europa.ec.eudi.loyalty_mdoc`:
 
 ```json
 {
@@ -112,6 +112,13 @@ Example loyalty card metadata for mso_mdoc format (ISO 18013-5):
 }
 ```
 
+If you want to issue a different attestation/credential using this example as a template, please choose a different namespace, doctype, and scope, and modify the claims to include the required attributes.
+
+For more information on the metadata parameters, please refer to https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-metadata.
+
+
+
+
 ## 2. Service Configuration
 
 In the service configuration file (```app/app_config/config_service.py```), you need to configure the issuing authority, organization and validity of the credential.
@@ -155,4 +162,3 @@ For example, to add the loyalty credential to the `formCountry`, you need to add
   "eu.europa.ec.eudi.loyalty_mdoc"
 ]
 ```
-

api_docs/configuration.md

@@ -9,10 +9,12 @@ Base configuration for the EUDIW Issuer is located in ```app/app_config/config_s
 Parameters that should be changed:
 
 - `service_url` (Base url of the service)
-- `trusted_CAs_path` (Path to a folder with trusted DER IACA certificates)
+- `trusted_CAs_path` (Path to a folder with trusted IACA certificates)
 - `eidasnode_url` (eIDAS Node base URL. Only needs to be changed if you're configuring the eIDAS Node)
 - `eidasnode_lightToken_connectorEndpoint` (eIDAS node connector endpoint for lightrequest. Only needs to be changed if you're configuring the eIDAS Node.)
 
+You must copy your IACA trusted certificate(s) (in PEM format) to the `trusted_CAs_path` folder - you can find an example test IACA certificate for country Utopia (UT) [here](test_tokens/IACA-token/PIDIssuerCAUT01.pem.gz) -.
+
 ## 2. Configuration of Countries
 
 The supported countries configuration of the EUDIW Issuer is located in ```/app/app_config/config_countries.py```.
@@ -21,9 +23,14 @@ Parameters that should be changed for each country:
 
 + `name` - name of the country
 + `connection_type`- options are eidasnode, oauth, and openid.
-+ `pid_mdoc_privkey`- Document/Credential signer (DS) private key location.
++ `pid_mdoc_privkey`- Document/Credential signer (DS) private key file location.
 + `pid_mdoc_privkey_passwd` - Document/Credential signer (DS) private key password.
-+ `pid_mdoc_cert` - Document/Credential signer (DS) certificate location.
++ `pid_mdoc_cert` - Document/Credential signer (DS) certificate file location.
+
+
+You must copy your DS private key (in PEM format) to `pid_mdoc_privkey` file (the password must be defined in `pid_mdoc_privkey_passwd`), and the certificate (in DER format) to `pid_mdoc_cert` file.
+
+You can find example test private DS keys and certificates, for country Utopia (UT) [here](test_tokens/DS-token/) - the password of the example test private DS keys is "pid-ds-0002".
 
 
 ## 3. OID4VCI configuration 

app/requirements.txt

@@ -22,9 +22,9 @@ pillow==10.2.0
 segno==1.6.1
 qrcode-artistic==3.0.2
 gunicorn
-git+https://github.com/devisefutures/pyMDOC-CBOR.git@cert_arg
+git+https://github.com/eu-digital-identity-wallet/pyMDOC-CBOR.git
 git+https://github.com/openwallet-foundation-labs/sd-jwt-python.git@9181a0a4514b7de2cc30a84d320b509e9fc5cb59
-git+https://github.com/Scytales-DeviseFutures/idpy-oidc.git@1-batch_credential
-git+https://github.com/Scytales-DeviseFutures/openid4v.git@1-batch_credential
+git+https://github.com/eu-digital-identity-wallet/idpy-oidc.git
+git+https://github.com/eu-digital-identity-wallet/openid4v.git
 git+https://github.com/rohe/fedservice.git@107799de02ce282f8c9feaf85e4ba6c88a1d76ab
 git+https://github.com/rohe/idpy-sdjwt.git