feat: provider management command to fetch all the RPs from several l…

…isting endpoints fix: trust chain evaluation fix: example data for sp
italia · Feb 26, 2022 · 1e3ab6a · 1e3ab6a
1 parent 8082682
commit 1e3ab6a
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 6 deletions.
diff --git a/examples/federation_authority/dumps/example.json b/examples/federation_authority/dumps/example.json
diff --git a/spid_cie_oidc/authority/admin.py b/spid_cie_oidc/authority/admin.py
@@ -25,7 +25,7 @@ class FederationDescendantJwkAdminInline(admin.StackedInline):
 
 @admin.register(FederationDescendant)
 class FederationDescendantAdmin(admin.ModelAdmin):
-    list_display = ("sub", "name", "status", "is_active", "created")
+    list_display = ("sub", "name", "type", "status", "is_active", "created")
     list_filter = ("type", "created", "modified", "is_active")
     search_fields = ("sub",)
     readonly_fields = (

diff --git a/spid_cie_oidc/authority/views.py b/spid_cie_oidc/authority/views.py
@@ -53,13 +53,15 @@ def entity_list(request):
         }
     elif is_leaf == "false":
         _q = {"profile__profile_category": "federation_entity"}
+    elif request.GET.get("type", "").lower():
+        _q = {"profile__profile_category": request.GET["type"]}
     else:
         _q = {}
 
     entries = FederationEntityAssignedProfile.objects.filter(**_q).values_list(
         "descendant__sub", flat=True
     )
-    return JsonResponse(list(entries), safe=False)
+    return JsonResponse(list(set(entries)), safe=False)
 
 
 def resolve_entity_statement(request):

diff --git a/spid_cie_oidc/entity/statements.py b/spid_cie_oidc/entity/statements.py
@@ -415,10 +415,12 @@ def validate_by_superior_statement(self, jwt: str, ec):
             target = self.verified_by_superiors
             ec.verified_descendant_statements[self.sub] = payload
             target[payload["iss"]] = ec
+            self.is_valid = True
             return self.verified_by_superiors.get(ec.sub)
         else:
             target = self.failed_superiors
             ec.failed_descendant_statements[self.sub] = payload
+            self.is_valid = False
 
     def validate_by_superiors(
         self,

diff --git a/spid_cie_oidc/entity/trust_chain_operations.py b/spid_cie_oidc/entity/trust_chain_operations.py
@@ -1,5 +1,7 @@
 import logging
 
+from typing import Union
+
 from . exceptions import InvalidTrustchain
 from . models import FetchedEntityStatement, TrustChain
 from . statements import EntityConfiguration, get_entity_configurations
@@ -16,7 +18,7 @@ def trust_chain_builder(
     httpc_params: dict = HTTPC_PARAMS,
     required_trust_marks: list = [],
     metadata_type: str = "openid_provider",
-) -> TrustChainBuilder:
+) -> Union[TrustChainBuilder, bool]:
     """
     Minimal Provider Discovery endpoint request processing
 
@@ -169,7 +171,7 @@ def get_or_create_trust_chain(
             required_trust_marks = required_trust_marks,
             metadata_type=metadata_type
         )
-        if not trust_chain.is_valid:
+        if not trust_chain or not trust_chain.is_valid:
             raise InvalidTrustchain(
                 f"Trust chain for subject {subject} and "
                 f"trust_anchor {trust_anchor} is not valid"
@@ -198,6 +200,7 @@ def get_or_create_trust_chain(
 
         if tc:
             tc.update(**data)
+            tc = tc.first()
         else:
             tc = TrustChain.objects.create(
                 sub = subject,

diff --git a/spid_cie_oidc/provider/management/__init__.py b/spid_cie_oidc/provider/management/__init__.py
diff --git a/spid_cie_oidc/provider/management/commands/__init__.py b/spid_cie_oidc/provider/management/commands/__init__.py
diff --git a/spid_cie_oidc/provider/management/commands/fetch_openid_relying_parties.py b/spid_cie_oidc/provider/management/commands/fetch_openid_relying_parties.py
@@ -0,0 +1,103 @@
+import json
+import logging
+
+from django.conf import settings
+from django.core.management.base import BaseCommand
+from django.utils.translation import gettext as _
+
+from spid_cie_oidc.entity.statements import (
+    get_entity_configurations,
+    get_http_url,
+    EntityConfiguration,
+)
+from spid_cie_oidc.entity.trust_chain_operations import get_or_create_trust_chain
+
+
+logger = logging.getLogger(__name__)
+
+
+class Command(BaseCommand):
+    help = 'Attribute release query'
+
+    def add_arguments(self, parser):
+        parser.epilog = 'Example: ./manage.py fetch_openid_providers'
+        parser.add_argument(
+            '--from', nargs='*', default=[],
+            help=_(
+                "A list of url of authorities, separated by space where "
+                "download the list of OPs"
+            )
+        )
+        parser.add_argument(
+            '-f', "--force",  action="store_true", required=False,
+            help=_(
+                "Don't use already cached statements and chains"
+            )
+        )
+        parser.add_argument('-debug', required=False, action="store_true",
+                            help="see debug message")
+
+    def handle(self, *args, **options):
+        if not options['from']:
+            return
+
+        res = []
+        rp_subs = []
+        jwts = get_entity_configurations(options['from'])
+        auth_ecs = []
+        for i in jwts:
+            ec = EntityConfiguration(i)
+            if ec.validate_by_itself():
+                auth_ecs.append(ec)
+
+        if not auth_ecs:
+            logger.warning(
+                f"Any of {options['from']} has a valid EntityConfiguration "
+                "to get a List endpoint"
+            )
+            return
+
+        logger.info(
+            f"Found {auth_ecs} federation entities where to query a list of RPs"
+        )
+
+        list_urls = []
+        for i in auth_ecs:
+            endpoint = i.payload.get("metadata", {}).get('federation_entity', {}).get("federation_list_endpoint", "")
+            if endpoint:
+                list_urls.append(f"{endpoint}?type=openid_relying_party")
+
+        rp_subs = []
+        for rp_sub in get_http_url(list_urls, httpc_params = settings.HTTPC_PARAMS):
+
+            try:
+                urls = json.loads(rp_sub)
+                rp_subs.extend(urls)
+            except Exception as e:
+                logger.error(f"Failed {e}")
+                continue
+
+        for rp_sub in rp_subs:
+            try:
+                tc = get_or_create_trust_chain(
+                    subject = rp_sub,
+                    trust_anchor = settings.FEDERATION_TRUST_ANCHOR,
+                    metadata_type = 'openid_relying_party',
+                    httpc_params = settings.HTTPC_PARAMS,
+                    required_trust_marks = getattr(
+                        settings, 'OIDCFED_REQUIRED_TRUST_MARKS', []
+                    ),
+                    force=options['force']
+                )
+                if tc.is_valid:
+                    res.append(tc)
+
+                logger.info(
+                    f"Final Metadata for {tc.sub}:\n\n{tc.metadata}"
+                )
+
+            except Exception as e:
+                logger.exception(
+                    f"Failed to download {rp_sub} due to: {e}"
+                )
+
diff --git a/spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py b/spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py
@@ -24,7 +24,7 @@ def add_arguments(self, parser):
             )
         )
         parser.add_argument(
-            '-f', "--force",  action="store_true", required=True,
+            '-f', "--force",  action="store_true", required=False,
             help=_(
                 "Don't use already cached statements and chains"
             )