chore: alignments with pyeudiw 0.9.1

.github/workflows/python-app.yml

@@ -31,14 +31,11 @@ jobs:
     - name: Install Python dependencies
       run: |
         pip install --upgrade pip
-        pip install flake8 pipx poetry
-        pip install --upgrade packaging
-        poetry install
-        source $(poetry env info | grep -m1 Path  | awk -F" " {'print $2'})/bin/activate
+        pip install flake8
         pip install "spid-sp-test>=1.2.17"
     - name: Inspect Python dependencies
       run: |
-        poetry show --tree
+        pip list
     - name: Lint with flake8
       run: |
         ## stop the build if there are Python syntax errors or undefined names
@@ -69,19 +66,13 @@ jobs:
     - name: spid-sp-test SPID metadata, requests and responses
       run: |
         cd Docker-compose/satosa-project
-        source $(poetry env info | grep -m1 Path | awk -F" " {'print $2'})/bin/activate
-        export PATH=$PATH:$(poetry env info | grep -m1 Path | awk -F" " {'print $2'})/bin
         spid_sp_test --idp-metadata > metadata/idp/spid-sp-test.xml
         spid_sp_test --metadata-url https://localhost/spidSaml2/metadata --authn-url "http://localhost:8000/saml2/login/?idp=https://localhost/Saml2IDP/metadata&next=/saml2/echo_attributes&idphint=https%253A%252F%252Flocalhost%253A8443" -ap spid_sp_test.plugins.authn_request.SatosaSaml2Spid --extra --debug ERROR -tr
     - name: spid-sp-test CIE id metadata
       run: |
         cd Docker-compose/satosa-project
-        source $(poetry env info | grep -m1 Path | awk -F" " {'print $2'})/bin/activate
-        export PATH=$PATH:$(poetry env info | grep -m1 Path | awk -F" " {'print $2'})/bin
         spid_sp_test --profile cie-sp-public --metadata-url https://localhost/cieSaml2/metadata
     - name: spid-sp-test eIDAS FiCEP metadata
       run: |
         cd Docker-compose/satosa-project
-        source $(poetry env info | grep -m1 Path | awk -F" " {'print $2'})/bin/activate
-        export PATH=$PATH:$(poetry env info | grep -m1 Path | awk -F" " {'print $2'})/bin
         spid_sp_test --profile ficep-eidas-sp --metadata-url https://localhost/spidSaml2/metadata

Docker-compose/docker-compose.yml

@@ -70,7 +70,7 @@ services:
         # dockerfile: Dockerfile
     container_name: iam-proxy-italia
     # depends_on:
-    #  - satosa-mongo
+     # - satosa-mongo
     stdin_open: ${SATOSA_DEBUG:-false}   # enables PDB when attach to the compose
     tty: ${SATOSA_DEBUG:-false}   # enables PDB when attach to the compose
     environment:
@@ -123,7 +123,7 @@ services:
       - "10000:10000"
     volumes:
       - ./satosa-project:/satosa_proxy:rwx
-      # - ./eudi-wallet-it-python/pyeudiw:/.venv/lib/python3.12/site-packages/pyeudiw:rwx
+      - /tmp/eudi-wallet-it-python/pyeudiw:/.venv/lib/python3.12/site-packages/pyeudiw:rwx
       # - iam-proxy-italia-data:/satosa_proxy # to be used for external volumes
     working_dir: /satosa_proxy
     entrypoint: "sh entrypoint.sh"

Dockerfile

@@ -32,7 +32,8 @@ COPY pyproject.toml /
 
 RUN python3 -m venv .venv && . .venv/bin/activate
 RUN pip3 install --upgrade pip --break-system-packages
-RUN pip3 install flake8 pipx poetry --break-system-packages 
+RUN pip3 install flake8 pipx poetry pdbpp --break-system-packages
+
 RUN poetry self update
 RUN poetry config virtualenvs.in-project true
 RUN poetry install

example/entrypoint.sh

@@ -28,9 +28,9 @@ fi
 poetry show
 
 wsgi_file=/.venv/lib/$(python -c 'import sys; print(f"python{sys.version_info.major}.{sys.version_info.minor}")')/site-packages/satosa/wsgi.py
-wsgi_cmd="uwsgi --ini /satosa_proxy/uwsgi_setup/uwsgi/uwsgi.ini.docker --wsgi-file $wsgi_file"
-if [[ $SATOSA_DEBUG == true ]]; then
-  $wsgi_cmd --honour-stdin
+wsgi_cmd=""
+if [[ $SATOSA_DEBUG == "true" ]]; then
+  uwsgi --ini /satosa_proxy/uwsgi_setup/uwsgi/uwsgi.ini.debug --wsgi-file $wsgi_file
 else
-  $wsgi_cmd
+  uwsgi --ini /satosa_proxy/uwsgi_setup/uwsgi/uwsgi.ini.docker --wsgi-file $wsgi_file
 fi

example/plugins/backends/pyeudiw_backend.yaml

@@ -20,7 +20,6 @@ config:
       module: pyeudiw.satosa.default.response_handler
       class: ResponseHandler
       path: '/response-uri'
-    entity_configuration: '/.well-known/openid-federation'
     status: '/status'
     get_response: '/get-response'
 
@@ -61,6 +60,8 @@ config:
         - ES512
 
   authorization:
+    client_id: # this field if not set will be autopopulated using internal variables base_url and name using the following format: "<base_url>/<name>" 
+    auth_iss_id: # this field if not set will be set to client_id in the authz request 
     url_scheme: haip
     scopes:
     - pid-sd-jwt:unique_id+given_name+family_name
@@ -105,7 +106,7 @@ config:
     subject_id_random_value: CHANGEME!
 
   network:
-    httpc_params:
+    httpc_params: &httpc_params
       connection:
         ssl: true
       session:
@@ -129,37 +130,89 @@ config:
       p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
       q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
 
+  #This is the configuration for the relaying party metadata
+  metadata: &metadata
+    application_type: web
+
+    #The following section contains all the algorithms supported for the encryption of response
+    authorization_encrypted_response_alg: *enc_alg_supported
+    authorization_encrypted_response_enc: *enc_enc_supported
+    authorization_signed_response_alg: *sig_alg_supported
+
+    #Various informations of the client
+    client_id: # this field is autopopulated using internal variables base_url and name using the following format: "<base_url>/<name>" 
+    client_name: Name of an example organization
+    contacts:
+      - [email protected]
+    default_acr_values:
+      - https://www.spid.gov.it/SpidL2
+      - https://www.spid.gov.it/SpidL3
+
+    #The following section contains all the algorithms supported for the encryption of id token response
+    id_token_encrypted_response_alg: *enc_alg_supported
+    id_token_encrypted_response_enc: *enc_enc_supported
+    id_token_signed_response_alg: *sig_alg_supported
+
+    # loaded in the __init__
+    # jwks:
+
+    redirect_uris: 
+      # This field is autopopulated using internal variables base_url and name using the following format: <base_url>/<name>/redirect-uri"
+    request_uris: 
+      # This field is autopopulated using internal variables base_url and name using the following format: <base_url>/<name>/request-uri"
+
+    # not necessary according to openid4vp
+    # default_max_age: 1111
+    # require_auth_time: true
+    # subject_type: pairwise
+
+    vp_formats:
+      vc+sd-jwt:
+        sd-jwt_alg_values:
+          - ES256
+          - ES384
+        kb-jwt_alg_values:
+          - ES256
+          - ES384
+
   trust:
     direct_trust_sd_jwt_vc:
       module: pyeudiw.trust.handler.direct_trust_sd_jwt_vc
       class: DirectTrustSdJwtVc
       config:
+        cache_ttl: 0
+        httpc_params: *httpc_params
         jwk_endpoint: /.well-known/jwt-vc-issuer
     direct_trust_jar:
       module: pyeudiw.trust.handler.direct_trust_jar
       class: DirectTrustJar
       config:
+        cache_ttl: 0
+        httpc_params: *httpc_params
         jwk_endpoint: /.well-known/jar-issuer
         jwks: *metadata_jwks
     federation:
       module: pyeudiw.trust.handler.federation
       class: FederationHandler
       config:
-        metadata_type: "wallet_relying_party"
+        httpc_params: *httpc_params
+        cache_ttl: 0
+        entity_configuration_exp: 600
+        metadata_type: "openid_credential_verifier"
+        metadata: *metadata
         authority_hints:
             - http://127.0.0.1:8000
         trust_anchors:
-            - public_keys: []
-            - http://127.0.0.1:8000
+            - http://127.0.0.1:8000: [] # array of public keys
         default_sig_alg: "RS256"
         trust_marks: [] 
         federation_entity_metadata:
-            organization_name: Developers Italia SATOSA OpenID4VP backend
+            organization_name: IAM Proxy Italia OpenID4VP backend
             homepage_uri: https://developers.italia.it
             policy_uri: https://developers.italia.it
             tos_uri: https://developers.italia.it
             logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
-        federation_jwks:
+        federation_jwks: # !ENV PYEUDIW_FEDERATION_JWKS
           - kty: RSA
             d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
             e: AQAB
@@ -204,49 +257,3 @@ config:
           connection_params:
             username: !ENV MONGODB_USERNAME
             password: !ENV MONGODB_PASSWORD
-
-  #This is the configuration for the relaying party metadata
-  metadata:
-    application_type: web
-
-    #The following section contains all the algorithms supported for the encryption of response
-    authorization_encrypted_response_alg: *enc_alg_supported
-    authorization_encrypted_response_enc: *enc_enc_supported
-    authorization_signed_response_alg: *sig_alg_supported
-
-    #Various informations of the client
-    client_id: # this field is autopopulated using internal variables base_url and name using the following format: "<base_url>/<name>" 
-    client_name: Name of an example organization
-    contacts:
-      - [email protected]
-    default_acr_values:
-      - https://www.spid.gov.it/SpidL2
-      - https://www.spid.gov.it/SpidL3
-
-    default_max_age: 1111
-
-    #The following section contains all the algorithms supported for the encryption of id token response
-    id_token_encrypted_response_alg: *enc_alg_supported
-    id_token_encrypted_response_enc: *enc_enc_supported
-    id_token_signed_response_alg: *sig_alg_supported
-
-    # loaded in the __init__
-    # jwks:
-
-
-    redirect_uris: 
-      # This field is autopopulated using internal variables base_url and name using the following format: <base_url>/<name>/redirect-uri"
-    request_uris: 
-      # This field is autopopulated using internal variables base_url and name using the following format: <base_url>/<name>/request-uri"
-
-    require_auth_time: true
-    subject_type: pairwise
-
-    vp_formats:
-      vc+sd-jwt:
-        sd-jwt_alg_values:
-          - ES256
-          - ES384
-        kb-jwt_alg_values:
-          - ES256
-          - ES384

example/templates/qr_code.html

@@ -96,14 +96,14 @@
         changeQrCodeImg(connectedImg);
         $('#content-qrcode-info').html(`
             <div id="content-function" class="text-center button-container mt-2">
-                <button href="${data.response_url}" 
+                <a href="${data.redirect_uri}" 
                     class="btn btn-primary" 
                     aria-haspopup="false" 
                     aria-expanded="false" 
                     data-focus-mouse="false"
                 >
                 <span>${clickAccessLabel}</span>
-                </button>
+                </a>
             </div>`
         );
     }
@@ -181,18 +181,27 @@
         }
     }, 1000);
 
-    function QRcodeScanCheck() {
-      let endpointSatosa = "{{ status_endpoint }}";
-      let data = {
-        "id": "{{ state }}", 
-      };
+    function statusEndpoint() {
+        let endpointSatosa = "{{ status_endpoint }}";
+        return endpointSatosa; 
+    }
 
+    function sessionIdentifier() {
+        let id = "{{ state }}";
+        return id; 
+    }
+
+
+    function QRcodeScanCheck() {
+      let qrStatusUrl = statusEndpoint();
+      let data = {"id": sessionIdentifier()}
       let ajaxRequest = $.ajax({
         type: 'GET',
-        url: endpointSatosa,
+        url: qrStatusUrl,
         data,
         statusCode: {
           201: StartQRcodeScanCheck,
+          202: StartQRcodeScanCheck,
           200: connectionCompleted,
           400: Forbidden,
           401: Forbidden,

example/uwsgi_setup/uwsgi/uwsgi.ini.debug

@@ -2,50 +2,33 @@
 project     = iam-proxy-italia
 base        = /opt
 
-chdir       = %(base)/%(project)/project
+chdir       = /satosa_proxy
 
 uid         = satosa
 gid         = satosa
 
-socket      = 127.0.0.1:3002
+socket      = 0.0.0.0:10000
 master      = true
 processes   = 1
-#threads     = 2
 
 # set max connections to 1024 in uWSGI
 listen = 305
 
-wsgi-file   = %(base)/%(project)/env/lib/python3.10/site-packages/satosa/wsgi.py
 callable = app
-# se installato con pip non serve il plugin perchè embedded
-#plugins    = python
-
-# con virtualenv non serve
-#pythonpath     = %(base)/%(project)/%(project)
-
-virtualenv  = %(base)/%(project)/env
-
+vacuum      = True
 honour-stdin = True
-#logto = /var/log/uwsgi/%(project).log
-#log-maxsize = 100000000
-#log-backupname = /var/log/uwsgi/%(project).old.log
+die-on-term
 
-#module      = django_saml2_idp.wsgi:application
+# respawn processes taking more than takes more then ... seconds
+harakiri    = 20000
 
 vacuum      = True
 
 # respawn processes after serving ... requests
 max-requests    = 512
 
-# respawn processes taking more than takes more then ... seconds
-harakiri    = 20000
-
 # avoid: invalid request block size: 4420 (max 4096)...skip
 buffer-size=32768
 
-#env         = %(project).settings
-
-pidfile     = /var/log/uwsgi/%(project).pid
-touch-reload    = %(base)/%(project)/proxy_conf.yaml
-stats           = 127.0.0.1:9193
-stats-http      = True
+pidfile     = /satosa_proxy/%(project).pid
+touch-reload    = /satosa_proxy/proxy_conf.yaml