Merge pull request #43 from italia/oidcop

identity python OIDCop frontend modules

.github/workflows/python-app.yml

@@ -40,6 +40,7 @@ jobs:
         pip install -r example_sp/djangosaml2_sp/requirements.txt
         pip install spid-sp-test>=0.9.2
         pip install flake8
+        pip install satosa_oidcop
     - name: Lint with flake8
       run: |
         ## stop the build if there are Python syntax errors or undefined names

.gitignore

@@ -2,6 +2,8 @@ SATOSA/
 */__pyc__/*
 example/logs/*.log
 example/metadata/*.md
+example/data/*
+example/private/*
 *.pyc
 *pyFF_example/info.log
 *pyFF_example/error.log
@@ -13,3 +15,4 @@ example/metadata/*.md
 *pyFF_example/garr
 *pyFF_example/entities
 example_sp/djangosaml2_sp/sqlite3.db
+project/*

Dockerfile

@@ -33,17 +33,15 @@ RUN pip3 install -r requirements.txt --ignore-installed
 RUN mkdir -p metadata/idp
 RUN mkdir -p metadata/sp
 
-# COPY Metadata 
+# COPY Metadata
 ARG SP_METADATA_URL
 ARG IDP_METADATA_URL
 RUN wget $SP_METADATA_URL -O metadata/sp/my-sp.xml --no-check-certificate
 RUN wget $IDP_METADATA_URL -O metadata/idp/my-idp.xml --no-check-certificate
 RUN wget https://registry.spid.gov.it/metadata/idp/spid-entities-idps.xml -O metadata/idp/spid-entities-idps.xml
 
-RUN adduser --disabled-password wert 
+RUN adduser --disabled-password wert
 RUN chown -R  wert .
 
 COPY demo-run.sh .
 CMD bash demo-run.sh
-
-

README.idpy.forks.mngmnt.md

@@ -1,32 +1,27 @@
 # PySAML2
 
 ````
-git clone -b pplnx-v5 https://github.com/peppelinux/pysaml2
+git clone https://github.com/identitypython/pysaml2
 cd pysaml2/
 
-# create current idpy master
-git checkout --orphan idpy-v6.5.1
-git remote add idpy https://github.com/IdentityPython/pysaml2.git
+# create current pplnx branch
+git checkout --orphan pplnx-v7.0.1+
+git remote add pplnx https://github.com/peppelinux/pysaml2.git
 git reset --hard
-git pull idpy master
-
-# create current pplnx branch to be updated and tested
-git checkout --orphan pplnx-v6.5.1
-git reset --hard
-git pull idpy master
+git pull origin master
 
 # pplnx's patches
 # https://github.com/IdentityPython/pysaml2/pull/602/files
 # SPID requirements
-git pull origin date_xsd_type
+git pull pplnx date_xsd_type
 
 # https://github.com/IdentityPython/pysaml2/pull/628
 # SPID required
-git pull origin disabled_weak_algs
+git pull pplnx disabled_weak_algs
 
 # https://github.com/IdentityPython/pysaml2/pull/625
 # this must be merged at the end, otherwise break the unit tests
-git pull origin ns_prefixes
+git pull pplnx ns_prefixes
 ````
 
 If `ns_prefixes` still conflicts, mind these two lines (#15 #16):
@@ -37,12 +32,12 @@ TMPL = "<?xml version='1.0' encoding='UTF-8'?>\n%s" % TMPL_NO_HEADER
 # SATOSA
 
 ````
-git clone https://github.com/peppelinux/satosa
+git clone https://github.com/identitypython/satosa
 cd SATOSA
-git remote add idpy https://github.com/IdentityPython/SATOSA.git
-git checkout --orphan pplnx-v7.0.4-pre
+git remote add pplnx https://github.com/peppelinux/SATOSA.git
+git checkout --orphan pplnx-v8.0.0
 git reset --hard
-git pull idpy master
+git pull origin master
 
 pip install -r tests/test_requirements.txt
 
@@ -58,11 +53,11 @@ systemctl start mongod
 py.test tests/ -x
 
 # https://github.com/IdentityPython/SATOSA/pull/363
-git pull origin cookie_conf_2
+git pull pplnx cookie_conf_2
 
 # https://github.com/IdentityPython/SATOSA/pull/324
-git pull origin context_state_error_msg
+git pull pplnx context_state_error_msg
 
 # https://github.com/IdentityPython/SATOSA/pull/325
-git pull origin error_redirect_page
+git pull pplnx error_redirect_page
 ````

README.md

@@ -1,12 +1,13 @@
 # Satosa-Saml2Spid
 
-This is a SAML2  configuration for [SATOSA](https://github.com/IdentityPython/SATOSA)
-that aims to setup a **SAML-to-SAML Proxy** compatible with the  **SPID - the Italian Digital Identity System**.
+This is a SAML2/OIDC configuration for [SATOSA](https://github.com/IdentityPython/SATOSA)
+that aims to setup a **SAML-to-SAML Proxy** and **OIDC-to-SAML** compatible with the  **SPID - the Italian Digital Identity System**.
 
 ## Table of Contents
 1. [Goal](#goal)
 2. [Demo components](#demo-components)
 3. [Docker image](#docker-image)
+3. [Docker stack](#docker-compose)
 4. [Setup](#setup)
 5. [Start the Proxy](#start-the-proxy)
 6. [Additional technical informations](#additional-technical-informations)
@@ -16,7 +17,7 @@ that aims to setup a **SAML-to-SAML Proxy** compatible with the  **SPID - the It
 
 ## Goal
 
-Satosa-Saml2 Spid is an intermediary between many SAML2 Service Providers and many SAML2 Identity Providers.
+Satosa-Saml2 Spid is an intermediary between many SAML2/OIDC Service Providers (RP) and many SAML2 Identity Providers.
 Specifically it allows traditional Saml2 Service Providers to communicate with
 **Spid Identity Providers** adapting Metadata and AuthnRequest operations to the Spid technical requirements.
 
@@ -95,6 +96,51 @@ docker exec -it $(docker container ls | grep saml2spid | awk -F' ' {'print $1'})
 
 Remember to edit and customize all the values like `"CHANGE_ME!"` in the configuration files, in `proxy_conf.yaml` and in plugins configurations.
 
+## OIDC
+
+this project uses [SATOSA_oidcop](https://github.com/UniversitaDellaCalabria/SATOSA-oidcop) as OAuth2/OIDC frontend module.
+This feature is not enabled by default, uncomment the following statement in the proxy_configuration to enable it.
+
+https://github.com/italia/Satosa-Saml2Spid/blob/oidcop/example/proxy_conf.yaml#L32
+
+#### Docker compose for OIDC
+
+````
+apt install jq
+pip install docker-compose
+````
+
+Create your project folder, starting from our example project
+````
+cp -R example project
+# do your customizations in project/
+````
+
+Create volumes
+````
+docker volume create --name=satosa-saml2saml_certs
+docker volume create --name=satosa-saml2saml_conf
+docker volume create --name=satosa-saml2saml_statics
+docker volume create --name=satosa-saml2saml_logs
+````
+
+Where the data are
+`docker volume ls`
+
+Copy files in destination volumes
+````
+cp project/pki/*pem `docker volume inspect satosa-saml2saml_certs | jq .[0].Mountpoint | sed 's/"//g'`
+cp -R project/* `docker volume inspect satosa-saml2saml_conf | jq .[0].Mountpoint | sed 's/"//g'`
+cp -R project/static/* `docker volume inspect satosa-saml2saml_statics | jq .[0].Mountpoint | sed 's/"//g'`
+````
+
+Run the stack
+````
+docker-compose up
+````
+
+See [mongo readme](./mongo) to have some example of demo data.
+
 
 ## Setup
 
@@ -148,7 +194,7 @@ These are the configuration files:
 - `plugins/backends/spidsaml2_backend.yaml`
 - `plugins/backends/saml2_backend.yaml`
 - `plugins/frontend/saml2_frontend.yaml`
-
+- `plugins/frontend/oidc_op_frontend.yaml` (experimental)
 
 ## Saml2 Metadata
 
@@ -259,8 +305,8 @@ The SaToSa **SPID** backend contained in this project adopt specialized forks of
 read [this](README.idpy.forks.mngmnt.md) for any further explaination about how to patch by hands.
 
 All the patches and features are currently merged and available with the following releases:
-- [pysaml2](https://github.com/peppelinux/pysaml2/tree/pplnx-v7.0.1)
-- [SATOSA](https://github.com/peppelinux/SATOSA/tree/pplnx-v7.0.3)
+- [pysaml2](https://github.com/peppelinux/pysaml2/tree/pplnx-v7.0.1-1)
+- [SATOSA](https://github.com/peppelinux/SATOSA/tree/oidcop-v8.0.0)
 
 
 #### Pending contributions to idpy

demo-run.sh

@@ -3,6 +3,6 @@
 SATOSA_APP=/usr/lib/python3.8/site-packages/satosa
 uwsgi --uid 1000 --https 0.0.0.0:9999,$BASEDIR/pki/cert.pem,$BASEDIR/pki/privkey.pem --check-static-docroot --check-static $BASEDIR/static/ --static-index disco.html &
 P1=$!
-uwsgi --uid 1000 --wsgi-file $SATOSA_APP/wsgi.py  --https 0.0.0.0:10000,$BASEDIR/pki/cert.pem,$BASEDIR/pki/privkey.pem --callable app
+uwsgi --uid 1000 --wsgi-file $SATOSA_APP/wsgi.py  --https 0.0.0.0:10000,$BASEDIR/pki/cert.pem,$BASEDIR/pki/privkey.pem --callable app -b 32648
 P2=$!
 wait $P1 $P2

docker-compose.yml

@@ -0,0 +1,124 @@
+version: "3"
+
+services:
+  # if needed
+  #spid-certs:
+    #image: psmiraglia/spid-compliant-certificates
+    #volumes:
+        #- ./project/pki:/tmp/certs:rw
+    #entrypoint: |
+        #spid-compliant-certificates generator
+        #--key-size 3072
+        #--common-name "A.C.M.E"
+        #--days 365
+        #--entity-id https://spid.acme.it
+        #--locality-name Roma
+        #--org-id "PA:IT-c_h501"
+        #--org-name "A Company Making Everything"
+        #--sector public
+        #--key-out /tmp/certs/privkey.pem
+        #--crt-out /tmp/certs/cert.pem
+
+  satosa-mongo:
+    image: mongo
+    restart: always
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: satosa
+      MONGO_INITDB_ROOT_PASSWORD: thatpassword
+    ports:
+      - 27017:27017
+    volumes:
+        - mongodbdata:/data/db
+    networks:
+      - satosa
+
+  satosa-mongo-express:
+    image: mongo-express
+    restart: always
+    ports:
+      - 8082:8081
+    environment:
+      ME_CONFIG_BASICAUTH_USERNAME: satosa
+      ME_CONFIG_BASICAUTH_PASSWORD: thatpassword
+      ME_CONFIG_MONGODB_ADMINUSERNAME: satosa
+      ME_CONFIG_MONGODB_ADMINPASSWORD: thatpassword
+      ME_CONFIG_MONGODB_URL: mongodb://satosa:thatpassword@satosa-mongo:27017/
+    networks:
+      - satosa
+
+  # remove if use a nginx frontend
+  satosa-statics:
+    build:
+      context: .
+      dockerfile: ./docker/satosa-statics/Dockerfile
+    expose:
+      - 9999
+    ports:
+      - "9999:9999"
+    volumes:
+      - satosa-saml2saml_certs:/satosa_pki
+      - satosa-saml2saml_statics:/satosa_statics
+    networks:
+      - satosa
+
+  satosa-saml2spid:
+    build:
+      context: .
+      dockerfile: ./docker/satosa-saml2spid/Dockerfile
+    depends_on:
+      - satosa-mongo
+    environment:
+      - THAT=thing
+    expose:
+      - 10000
+    ports:
+      - "10000:10000"
+    networks:
+      - satosa
+    volumes:
+      - satosa-saml2saml_certs:/satosa_pki
+      - satosa-saml2saml_conf:/satosa_proxy
+      - satosa-saml2saml_logs:/satosa_logs
+
+  # TODO
+  #satosa-nginx:
+    #image: nginx:1.19-alpine
+    #ports:
+      #- "80:80"
+      #- "443:443"
+    #volumes:
+      #- ./docker/gateway/satosa.conf:/etc/nginx/conf.d/default.conf
+      #- satosa-saml2saml_statics:/satosa/static
+      #- ./docker/gateway/example.key:/etc/nginx/certs/certificate.key
+      #- ./docker/gateway/example.crt:/etc/nginx/certs/certificate.crt
+    #depends_on:
+      #- satosa-front
+      #- satosa-back
+    #networks:
+      #- satosa
+
+  # uncomment if needed
+  spid-saml-check:
+    image: italia/spid-saml-check
+    ports:
+      - "8080:8080"
+    networks:
+      - satosa
+    #volumes:
+      #- "./docker/spid-saml-check-config/idp.json:/spid-saml-check/spid-validator/config/idp.json:ro"
+      #- "./docker/spid-saml-check-config/idp_demo.json:/spid-saml-check/spid-validator/config/idp_demo.json:ro"
+      #- "./docker/spid-saml-check-config/server.json:/spid-saml-check/spid-validator/config/server.json:ro"
+
+volumes:
+  mongodbdata:
+  satosa-saml2saml_certs:
+    external: true
+  satosa-saml2saml_statics:
+    external: true
+  satosa-saml2saml_conf:
+    external: true
+  satosa-saml2saml_logs:
+    external: true
+
+networks:
+  satosa:

docker/satosa-saml2spid/Dockerfile

@@ -0,0 +1,19 @@
+FROM debian:buster-slim
+MAINTAINER Giuseppe De Marco <demarcog83@gmail.com>
+
+# for alpine 13
+#RUN apk update
+#RUN apk add xmlsec libffi-dev libressl-dev python3 py3-pip python3-dev procps git openssl build-base gcc wget bash cargo musl-dev
+
+RUN apt update
+RUN apt install -y libffi-dev libssl-dev python3-pip xmlsec1 procps libpcre3 libpcre3-dev git bash
+
+ENV BASEDIR="/satosa_proxy"
+COPY ./requirements.txt .
+RUN pip3 install --upgrade pip
+RUN pip3 install -r requirements.txt --ignore-installed
+
+WORKDIR $BASEDIR/
+# COPY ./project $BASEDIR
+RUN ls .
+ENTRYPOINT uwsgi --wsgi satosa.wsgi --https 0.0.0.0:10000,/satosa_pki/cert.pem,/satosa_pki/privkey.pem --callable app -b 32648

docker/satosa-statics/Dockerfile

@@ -0,0 +1,10 @@
+FROM debian:buster-slim
+MAINTAINER Giuseppe De Marco <demarcog83@gmail.com>
+
+RUN apt update
+RUN apt install -y libffi-dev libssl-dev python3-pip libpcre3 libpcre3-dev
+
+RUN pip3 install uwsgi
+ENV BASEDIR=/satosa_statics/
+WORKDIR $BASEDIR
+ENTRYPOINT uwsgi --uid 1000 --https 0.0.0.0:9999,/satosa_pki/cert.pem,/satosa_pki/privkey.pem --check-static-docroot --check-static $BASEDIR --static-index disco.html