v0.3.0 (#31)

* chore: create template demo and add bootstrap-italia in file example settings

* fix: remove bootstrap-italia in file example settings

* test: in onboarding add test_03_authn_request.py and its documentation in docs

* test: add claims schema

* fix: renamed file md on jwt API in docs

* fix: specified scope and ui_locales in schema for authn request

* fix: added comment, scope e ui_locales to review

* chore: preparation page entities and registration

* test: authn request for cie and for spid

* test: changed ui_locales  definition

* fix: update form registration and templats

* test: added test_04_authn_response

* test: started token request test

* fix: rename onboardingform.py to forms.py

* fix : remove migrations 0003

* fix: rename import file onboardingregistrationForm  form forms

* fix: remove imports not used

* fix: rename path demo to landing

* fix: remove class unical-background

* fix: add field.errore

* fix: use class bootstrap italia

* fix: add title to father html file

* fix: rename public_jwks

* fix: due to revisions

* test: refactor test with assertRaises

* fix: handle traslation text

* fix: traslation text

* fix:  created turorial for create_jws function in JWT_SIGNATURE_ENCRYPTION_API.md

* test: deleted comments line

* fix: modified as required

* fix: modified as required

* fix: modified as required

* fix: added description of how to use verify_jws function

* chore: create list entities with pagination

* fix: render svg icon for nav pagination

* fix: rename url_available to authn_buttons_page_url

* docs: how to validate authn request for spid

* docs: typo

* test: added  bad SPID authn request test

* test: added bad CIE authn request test

* chore: README improvements

* fix: change chartfield to JSONField

* BREAKING CHANGE: onboarding models and API moved to spid_cie_oidc.authority

* fix: unit tests with refactor

* fix: settingslocal.example in fed auth

* fix: onboarding demo dependency with design-django-theme

* fix: CI with bootstrap_italia_template

* fix: CI with design-django-theme

* fix: added lost tests after app refactor

* chore: onboarding landing page welcome, style and image

* fix: changed 'iss' control

* fix: added __init__.py in spid_cie_oidc.onboarding.test

* refactor: introduced use of decorator @validator

* fix: add cards in templates

* test: improved check on 'scope' attribute

* chore:  add model OnboardingRegistration

* fix: onboarding registration migrations

* moving to v0.3.0

* fix: added pydantic in dependencies

* chore_ code linting with black

* test: added test for bad authn response

* fix: add field status and validators

* fix: add new column to table and color for status

* fix: handle form registration

* perf: improved client_assertion check

* test: test for token requests

* docs: documentation for token requests

* docs: typo

* fix: regexp in validators.token_request

* fix: flake8 F722 ignore in pydantic constr

* feat: oidc provider models, some code linting

* chore: created spid_cie_oidc.authority.validators and moved validate_entity_configuration from models

* feat: Medata discovery loop prevention, closes #4

* fix: 4c7c700

* fix: added a warning message for unconfigured OIDCFED_FEDERATION_TRUST_ANCHORS

* chore: entity.models.TrustChain minor changes

* chore: trust chain better exception handlign and small code cleanup

* fix: trust chain builder args

* fix: trust chains unit test with faulty auth hint, better exception handling

* feat: trust marks filter on metadata discovery

* feat: added validator for jwt in token request

* docs: added doc for unpad_jwt_head and unpad_jwt_payload

* fix: improved iat and exp check

* fix: change redirect after submit form

* chore: create test registration form

* refactor: renamed datetime_from_exp in datetime_from_timestamp

* refactor: moved JwtClientAssertionStructure class in jwt.py

* refactor : removed JwtClientAssertionStructure

* style : clean

* refactor: renamed datetime_from_exp in datetime_from_timestamp

* refactor: clean

* feat: request and response validators for token endopoint

* chore: add navbar

* trust marks WiP

* fix: aud corrected

* feat: added introspection request validator

* style: import organized

* feat: added introspection endpoint validators

* docs: added docs for introspection request

* feat: added validators for introspection error response

* feat: added revocation request validators

* feat: added revocation error response validator

* feat: onboarding registration model with reated/modified attr, example data updated

* refactor: changed validators directory in schema directory

* docs: added docs for token response, authen response and introspection response

* fix: bug in introspection response

* refactor: adjusted docs after moving validators dir in schemas dir

* refactor: adjusted docs after moving validators dir in schemas dir

* docs: joined requests and responses for each endpoint

* docs: minor fixes

* docs: minor fixes

* docs: minor fixes

* docs: minor fixes

* chore: code linting and a little note in the README

* feat: trust marks validation in trust chain

* feat: added a unit test for missing but requied trust marks

* fix: code linting and flake

* chore: ta with intermediary with TrustChain Storage

* test-01-failed and RP wip (#28)

* Merge branch 'dev' of https://github.com/peppelinux/spid-cie-oidc-django into main

* fix: correct navlink name

* feat: unique entity validatore submission form
feat: RP landing page wip

* fix: clean settingslocal.py.example

* fix: correct test with a url entity valid

* fix: add slash to example settinglocal file

* fix: add conf rp to test registration

* fix: add configuration

* fix: remove print

* fix: remove breakpoint in code

* fix: remove image from template

* fix: add monkey path to test

* fix: order template

* fix: remove clean method

* fix: remove breckpoint

* fix: clean

* fix: static folder to git ignor

Co-authored-by: Giuseppe De Marco <[email protected]>

* feat: Trust chains and Entity Statements storage and helpers

* chore: code linting

* fix: wrong import in trust chain helpers

* feat: op in fedath demo, example json updated, rp CLI command and moved rp test to tests folder

* feat: get_or_create_trust_chain with force parameter

* fix: rp tests

* fix: trust chain fetch_api_url

* chore: moved images to docs

* chore: fedauth example json data updated with rp and op jwks

* fix: create or update without duplicated

* chore: example data cleaned from duplicates

Co-authored-by: dezhizhang <[email protected]>
Co-authored-by: Francesca <[email protected]>
Co-authored-by: dezhizhang1985 <[email protected]>

.github/workflows/python-app.yml

@@ -33,10 +33,10 @@ jobs:
  # sudo apt update && sudo apt python3-dev python3-pip
  python -m pip install --upgrade pip
  python -m pip install -r requirements-dev.txt
- 
+
  - name: Install Django Bootstrap Italia template
  run: pip install design-django-theme
- 
+
  - name: Install spid-cie-oidc
  run: |
  pip install -e .

.gitignore

@@ -26,6 +26,7 @@ share/python-wheels/
 .installed.cfg
 *.egg
 MANIFEST
+examples/*/static/
 
 # PyInstaller
 # Usually these files are written by a python script from a template

README.md

@@ -12,6 +12,7 @@ each of these can be installed separately within a django project, these are:
 
 - __spid_cie_oidc.accounts__: customizable app that extended the Django User model.
 - __spid_cie_oidc.entity__: OIDC Federation django app, with models and API that implements OIDC Federation 1.0 Entity Statements, metadata discovery, Trust Chain, Trust Marks and Metadata policy.
+- __spid_cie_oidc.authority__: OIDC Federation API and models for Trust Anchors and Intermediaries.
 - __spid_cie_oidc.onboarding__: OIDC Federation OnBoarding demo application.
 - __spid_cie_oidc.relying_party__: OIDC Relying Party and test suite for OIDC Providers.
 - __spid_cie_oidc.provider__: OIDC Provider and test suite for OIDC Relying Parties.
@@ -29,11 +30,11 @@ We have all the Django apps available in the folder `spid_cie_oidc/`.
 The examples projects are instead in the folder `examples/`.
 
 There is a substantial difference between an app and a project.
-The app is installed using a common python package manager, such as poetry or pip,
+The app is installed using a common python package manager, such as _poetry_ or _pip_,
 and can be used, inherited, and integrated into other projects.
 
 A project is a service configuration that integrates one or more applications.
-In this repository we have three example project for demo purpose.
+In this repository we have three example projects for demo purpose.
 
 ### Summary
 
@@ -66,7 +67,7 @@ sudo pip install virtualenv
 Activate the environment. It's optional and up to you if you want to install 
 in a separate env or system wide
 ````
-virtualenv -p python3 --copies env
+virtualenv -p python3 env
 source env/bin/activate
 ````
 
@@ -81,7 +82,7 @@ pip install spid-cie-oidc
 #### Setup the example project for demo purpose
 
 ````
-git clone https://github.com/peppelinux/spid-cie-oidc
+git clone https://github.com/peppelinux/spid-cie-oidc-django
 cd spid-cie-oidc
 pip install -e .
 ````
@@ -91,12 +92,14 @@ In `examples/` folder you have three demostrations projects:
  - relying_party
  - provider
 
-for each of the them you have to create the db and load the example data , as follows:
+for each of the them you have to create the db and load the example data, as follows:
 
 ````
 cd examples/$project_name
 cp $project_name/settingslocal.py.example $project_name/settingslocal.py
+
 # then customize (optional) $project_name/settingslocal.py
+# add OIDCFED_FEDERATION_TRSUT_ANCHORS = ["http://127.0.0.1:8000"]
 
 ./manage.py migrate
 
@@ -115,12 +118,25 @@ The demo propose a small federation composed by the following entities:
  - OpenID Relying Party, available at `http://localhost:8001`
  - OpenID Provider, available at `http://localhost:8002`
 
+
+### Docker compose
+
+> TODO: Not available untile v0.6.0 release
+
+
+### Django projects
+
 Activate the environment
 ````
 source env/bin/activate
 cd examples
 ````
 
+Install Django Bootstrap italia template
+````
+pip install design-django-theme
+````
+
 Then enter in the single applications projects (__federation_authority/__ or __relying_party/__ or __provider/__):
 ````
 # run the web server

docs/AUTHENTICATION_ENDPOINT.md

@@ -0,0 +1,76 @@
+# OP’s Authorization Endpoint
+
+In spid_cie_oidc.onboarding.schemas there are functions to generate the json schema of the Authentication Request to the OP's Authorization Endpoint from RP and the related OP's response to RP.
+
+With the same functions is possible to validate request and response.
+
+
+# How to export the authn request schema for SPID
+
+````
+./manage.py shell
+from spid_cie_oidc.onboarding.schemas.authn_requests import AuthenticationRequestSpid
+print(AuthenticationRequestSpid.schema_json(indent=2))
+````
+
+# How to validate an authn request for SPID
+
+````
+./manage.py shell
+````
+Import an authn request example
+````
+from spid_cie_oidc.onboarding.tests.authn_request_settings import AUTHN_REQUEST_SPID
+````
+Then to validate
+````
+from spid_cie_oidc.onboarding.schemas.authn_requests import AuthenticationRequestSpid
+AuthenticationRequestSpid(**AUTHN_REQUEST_SPID)
+````
+
+# How to export the authn successful response schema for SPID
+
+````
+./manage.py shell
+from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationResponse
+print(AuthenticationResponse.schema_json(indent=2))
+````
+
+# How to validate an authn successful response for SPID
+
+````
+./manage.py shell
+````
+Import an authn successful response example
+````
+from spid_cie_oidc.onboarding.tests.authn_responses_settings import AUTHN_RESPONSE_SPID
+````
+Then to validate
+````
+from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationResponse
+AuthenticationResponse(**AUTHN_RESPONSE_SPID)
+````
+
+# How to export the authn error response schema for SPID
+
+````
+./manage.py shell
+from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationErrorResponse
+print(AuthenticationErrorResponse.schema_json(indent=2))
+````
+
+# How to validate an authn error response for SPID
+
+````
+./manage.py shell
+````
+Import an authn error response example
+````
+from spid_cie_oidc.onboarding.tests.authn_responses_settings import AUTHN_ERROR_RESPONSE_SPID
+````
+Then to validate
+````
+from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationErrorResponse
+AuthenticationErrorResponse(**AUTHN_ERROR_RESPONSE_SPID)
+````
+

docs/INTROSPECTION_ENDPOINT.md

@@ -0,0 +1,76 @@
+# OP's Introspection Endpoint
+Introspection Endpoint provides metadata for a given token that was presented to it by an RP.
+
+In spid_cie_oidc.onboarding.schemas there are functions to generate the json schema of the Introspection Request to the OP's Introspection Endpoint from RP and the related OP's response to RP.
+
+With the same functions is possible to validate request and response.
+
+
+# How to export the introspection request schema for SPID
+
+````
+./manage.py shell
+from spid_cie_oidc.onboarding.schemas.introspection_request import IntrospectionRequest
+print(IntrospectionRequest.schema_json(indent=2))
+````
+
+# How to validate an introspection request for SPID
+
+````
+./manage.py shell
+````
+Import an introspection request example
+````
+from spid_cie_oidc.onboarding.tests.introspection_request_settings import INTROSPECTION_REQUEST
+````
+Then to validate
+````
+from spid_cie_oidc.onboarding.schemas.introspection_request import IntrospectionRequest
+IntrospectionRequest(**INTROSPECTION_REQUEST)
+````
+
+# How to export the introspection response schema for SPID
+
+````
+./manage.py shell
+from spid_cie_oidc.onboarding.schemas.introspection_response import IntrospectionResponse
+print(IntrospectionResponse.schema_json(indent=2))
+````
+
+# How to validate an introspection response for SPID
+
+````
+./manage.py shell
+````
+Import an introspection response example
+````
+from spid_cie_oidc.onboarding.tests.introspection_response_settings import INTROSPECTION_RESPONSE
+````
+Then to validate
+````
+from spid_cie_oidc.onboarding.schemas.introspection_response import IntrospectionResponse
+IntrospectionResponse(**INTROSPECTION_RESPONSE)
+````
+
+# How to export the introspection error response schema for SPID
+
+````
+./manage.py shell
+from spid_cie_oidc.onboarding.schemas.introspection_response import IntrospectionErrorResponseSpid
+print(IntrospectionErrorResponseSpid.schema_json(indent=2))
+````
+
+# How to validate an introspection error response for SPID
+
+````
+./manage.py shell
+````
+Import an introspection error response example
+````
+from spid_cie_oidc.onboarding.tests.introspection_response_settings import INTROSPECTION_ERROR_RESPONSE
+````
+Then to validate
+````
+from spid_cie_oidc.onboarding.schemas.introspection_response import IntrospectionErrorResponseSpid
+IntrospectionErrorResponseSpid(**INTROSPECTION_ERROR_RESPONSE)
+````

docs/JWT_SIGNATURE_ENCRYPTION_API.md

@@ -0,0 +1,110 @@
+# Create a jws
+
+Enter in your project shell
+
+````
+./manage.py shell
+````
+Define a jwk, for example:
+````
+jwk=
+{
+ 'kty': 'RSA', 
+ 'kid': 'FifYx03bnosD8m6gYQIfNHNP9cM_Sam9Tc5nLloIIrc', 
+ 'e': 'AQAB', 
+ 'n':'3i5vV-_4nF_ES1BU86Zf2Bj6SiyGdGM3Izc2GrvtknQQCzpT3QlGv2d_wMrzVTS7PmZlvjyi2Qceq8EmEwbsIa5R8G57fxSpE0HL33giJfhpe8ublY4hGb6tEqSbHiFcgiF4T-Ft_98pz4nZtKTcesMZ8CcDUd9ibaLXGM4vaiUhSt76X1qOzqJHqAKMG-9VGm5DD2GSe7cu1yvaMCMPU6DGOqHYoBSkSbsnLelsRg6sINh6mZfb39odTJlOMFGhlg665702kc_iqqxd8jpyOh94vBagmJB4EQqI1qEte8sTMeBkVRpSLDoV5uNTlp2ZdINu1SakmaHB3WeStwC1lw', 'd':'QvPRP7mjvFOrjlp9zxJyzWbxfYqfVdFUGzuXBUVeWQS6lPeVsAUMmb8xo0JFQ4bpaetne4VAOZBIsM86jv9GBvxF2uMgOfJa5N-t9QB5oeGSv-hiURYMaXqpIvYRfGnnO5ukasXu5O0150GOJj6L5j6GwXSwLmrXeVxZ3zK63QwVl71xU1LR-lO0wLbqQROIT37Jw72B__wBk3QC0HjbrPv1fUVxKB3RCDR43X7PQkMPOfRHxicyp2MA4mLhLvuoRTTI4dfnd8Ou-xX5ctVzYmL0EMxPCleDFDIn9gTxpgCH95sVi-Zg6Zw5k1J_cchoD4AgGSSt2dr9mbiTRjLlcQ', 'p':'8BHX7hErQjESybgfzcX0hZmM-e1EWaM76uNJop9BiqRlBz9f-XxuC40A032AaZFDXqxVi3W0Hn1vJA6lSj9mGY5HEY-YVWAdOLLjM12oQ_cnH6czElExAoppUeMWsDEewDbZTn6rX5silcZ8Pu7Tsj-KSjPVzl9dr1w76EzsYj8', 
+ 'q':'7Oy3PGm3MjVlgTlgHnRKC-IcoB50hCBiqwACVcnlIgpg9Kt_srV7NWdmo5DJFIdrrvkjmN4wi9IOknSymStU-sB8BepnnterjPyBOr9PbttUP13qcOjuvjzD7Tr0IGou3yhA-YOuO9hOluhqd4tJIkdxT_X9qxgFQx5NSnsBpqk'
+}
+````
+or create a new one:
+````
+from spid_cie_oidc.entity.jwks import create_jwk
+
+jwk = create_jwk()
+````
+Define a payload for example:
+
+````
+payload=
+{
+ 'client_id': 'https://rp.cie.it', 
+ 'response_type': 'code', 
+ 'scope': 'openid', 
+ 'code_challenge': 'qWJlMe0xdbXrKxTm72EpH659bUxAxw80', 
+ 'code_challenge_method': 'S256', 
+ 'nonce': 'MBzGqyf9QytD28eupyWhSqMj78WNqpc2', 
+ 'prompt': 'consent login', 
+ 'redirect_uri': 'https://rp.cie.it/callback1/', 
+ 'acr_values': 'CIE_L1 CIE_L2', 
+ 'claims': {
+ 'id_token': {
+ 'family_name': {'essential': True}, 
+ 'email': {'essential': True}
+ }, 
+ 'userinfo': {
+ 'name': None, 
+ 'family_name': None
+ }
+ }, 
+ 'state': 'fyZiOL9Lf2CeKuNT2JzxiLRDink0uPcd'}
+````
+
+Then
+````
+from spid_cie_oidc.entity.jwtse import create_jws
+create_jws(payload,jwk)
+````
+
+`create_jws(payload,jwk)` returns jws as follows:
+
+````
+'eyJhbGciOiJSUzI1NiIsImtpZCI6IkZpZll4MDNibm9zRDhtNmdZUUlmTkhOUDljTV9TYW05VGM1bkxsb0lJcmMifQ.eyJjbGllbnRfaWQiOiJodHRwczovL3JwLmNpZS5pdCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwic2NvcGUiOiJvcGVuaWQiLCJjb2RlX2NoYWxsZW5nZSI6InFXSmxNZTB4ZGJYckt4VG03MkVwSDY1OWJVeEF4dzgwIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsIm5vbmNlIjoiTUJ6R3F5ZjlReXREMjhldXB5V2hTcU1qNzhXTnFwYzIiLCJwcm9tcHQiOiJjb25zZW50IGxvZ2luIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9ycC5jaWUuaXQvY2FsbGJhY2sxLyIsImFjcl92YWx1ZXMiOiJDSUVfTDEgQ0lFX0wyIiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7ImZhbWlseV9uYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImVtYWlsIjp7ImVzc2VudGlhbCI6dHJ1ZX19LCJ1c2VyaW5mbyI6eyJuYW1lIjpudWxsLCJmYW1pbHlfbmFtZSI6bnVsbH19LCJzdGF0ZSI6ImZ5WmlPTDlMZjJDZUt1TlQySnp4aUxSRGluazB1UGNkIn0.x5E2S55W1_Sh6xzBNRjaYr7rhI0vIqLhZBlG7XtimL60IgZHe9IdrDwGFzY6jezT8j_poxppGAP5j7HJYGKkrzhLJHKSQyIlgeWXDy5FEBAJstcV6fCSRIeeuPhnNOT-pGGCI1p_WBKolztmv_EfILoDsY9MiKAe87k_2DOxRCcYzIwRUSZGoyb8g59t6oDylugelDNxG9-27rPth8k7suoJZiTc9zZ4U3wAOqlkPX0BfhtYPYATI6jZfftwQJYb2Rm081Pml5A_G7DIUO10k5_jDzaL_yna85AFBjuEfy5NqQhe4OTqGmN5xq_iv8c06m6tLyxraXQZSfC4_4fheQ'
+````
+
+# Verify a jws
+
+Enter in your project shell
+
+````
+./manage.py shell
+````
+
+Create a jwk
+
+````
+from spid_cie_oidc.entity.jwks import create_jwk
+
+jwk = create_jwk()
+````
+Then verify 
+
+````
+from spid_cie_oidc.entity.jwtse import verify_jws
+verify_jws(jws, jwk)
+````
+
+# How to obtain head from a jws
+
+Enter in your project shell
+
+````
+./manage.py shell
+````
+Create a jws as described above, then
+````
+from spid_cie_oidc.entity.jwtse import unpad_jwt_head
+unpad_jwt_head(jws)
+````
+
+# How to obtain payload from a jws
+
+Enter in your project shell
+
+````
+./manage.py shell
+````
+Create a jws as described above, then
+````
+from spid_cie_oidc.entity.jwtse import unpad_jwt_payload
+unpad_jwt_payload(jws)
+````