Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Satosa] Example pyeudiw_backend.yaml can be secured more about private keys configuration #254

Open
Zicchio opened this issue Aug 23, 2024 · 1 comment
Assignees
Labels
enhancement Something improving existing features
Milestone

Comments

@Zicchio
Copy link
Collaborator

Zicchio commented Aug 23, 2024

The example configuration file of the satosa backend, which is https://github.com/italia/eudi-wallet-it-python/blob/dev/example/satosa/pyeudiw_backend.yaml includes some hardcoded private keys.
For example, see this one.

federation_jwks:
- kty: RSA
d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
e: AQAB
kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM

This is okay-ish for development purposes, but the project should eventually provide an example configuration file that states without ambiguity which configuration parameters are secrets that in a deploy process should be injected by a CI/CD pipeline, like this one.
https://github.com/italia/Satosa-Saml2Spid/blob/8272442b122ddf19d80ff8cfd00226f61d170d1a/example/plugins/backends/saml2_backend.yaml#L10-L11
This should be done so that uninformed developers do not accidentally go to production with an unsecure signing key

@italia italia deleted a comment Aug 23, 2024
@peppelinux peppelinux added this to the 0.9.1 milestone Aug 29, 2024
@peppelinux peppelinux added the enhancement Something improving existing features label Aug 29, 2024
@peppelinux
Copy link
Member

We should move the entire backend configuration using !ENV to facilitate configuration using docker compose and its env context

@elisanp elisanp changed the title [Satosa] Example pyeudiw_backend.yaml is not secure-by-design [Satosa] Example pyeudiw_backend.yaml can be secured more about private keys configuration Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Something improving existing features
Projects
Status: No status
Development

No branches or pull requests

3 participants