tmp

Author: stevenbal

src/open_inwoner/conf/app/setup_configuration.py

@@ -203,3 +203,37 @@
 ADMIN_OIDC_OIDC_STATE_SIZE = config("ADMIN_OIDC_OIDC_STATE_SIZE", None)
 ADMIN_OIDC_OIDC_EXEMPT_URLS = config("ADMIN_OIDC_OIDC_EXEMPT_URLS", None)
 ADMIN_OIDC_USERINFO_CLAIMS_SOURCE = config("ADMIN_OIDC_USERINFO_CLAIMS_SOURCE", None)
+
+DIGID_ENABLE = config("DIGID_ENABLE", default=True)
+DIGID_CERTIFICATE_LABEL = config("DIGID_CERTIFICATE_LABEL", None)
+DIGID_CERTIFICATE_TYPE = config("DIGID_CERTIFICATE_TYPE", None)
+DIGID_CERTIFICATE_PUBLIC_CERTIFICATE = config(
+    "DIGID_CERTIFICATE_PUBLIC_CERTIFICATE", None
+)
+DIGID_CERTIFICATE_PRIVATE_KEY = config("DIGID_CERTIFICATE_PRIVATE_KEY", None)
+DIGID_METADATA_FILE_SOURCE = config("DIGID_METADATA_FILE_SOURCE", None)
+DIGID_WANT_ASSERTIONS_SIGNED = config("DIGID_WANT_ASSERTIONS_SIGNED", None)
+DIGID_WANT_ASSERTIONS_ENCRYPTED = config("DIGID_WANT_ASSERTIONS_ENCRYPTED", None)
+DIGID_ARTIFACT_RESOLVE_CONTENT_TYPE = config(
+    "DIGID_ARTIFACT_RESOLVE_CONTENT_TYPE", None
+)
+DIGID_KEY_PASSPHRASE = config("DIGID_KEY_PASSPHRASE", None)
+DIGID_SIGNATURE_ALGORITHM = config("DIGID_SIGNATURE_ALGORITHM", None)
+DIGID_DIGEST_ALGORITHM = config("DIGID_DIGEST_ALGORITHM", None)
+DIGID_ENTITY_ID = config("DIGID_ENTITY_ID", None)
+DIGID_BASE_URL = config("DIGID_BASE_URL", None)
+DIGID_SERVICE_NAME = config("DIGID_SERVICE_NAME", None)
+DIGID_SERVICE_DESCRIPTION = config("DIGID_SERVICE_DESCRIPTION", None)
+DIGID_TECHNICAL_CONTACT_PERSON_TELEPHONE = config(
+    "DIGID_TECHNICAL_CONTACT_PERSON_TELEPHONE", None
+)
+DIGID_TECHNICAL_CONTACT_PERSON_EMAIL = config(
+    "DIGID_TECHNICAL_CONTACT_PERSON_EMAIL", None
+)
+DIGID_ORGANIZATION_URL = config("DIGID_ORGANIZATION_URL", None)
+DIGID_ORGANIZATION_NAME = config("DIGID_ORGANIZATION_NAME", None)
+DIGID_ATTRIBUTE_CONSUMING_SERVICE_INDEX = config(
+    "DIGID_ATTRIBUTE_CONSUMING_SERVICE_INDEX", None
+)
+DIGID_REQUESTED_ATTRIBUTES = config("DIGID_REQUESTED_ATTRIBUTES", None)
+DIGID_SLO = config("DIGID_SLO", None)

src/open_inwoner/configurations/bootstrap/auth.py

@@ -1,10 +1,15 @@
 from django.conf import settings
+from django.contrib.admin.sites import AdminSite
 from django.contrib.auth.models import Group
+from django.test import RequestFactory
 
+from digid_eherkenning.admin import DigidConfigurationAdmin
+from digid_eherkenning.models import DigidConfiguration
 from django_setup_configuration.configuration import BaseConfigurationStep
 from django_setup_configuration.exceptions import ConfigurationRunFailed
 from mozilla_django_oidc_db.forms import OpenIDConnectConfigForm
 from mozilla_django_oidc_db.models import OpenIDConnectConfig
+from simple_certmanager.models import Certificate
 
 from digid_eherkenning_oidc_generics.admin import (
     OpenIDConnectDigiDConfigForm,
@@ -239,3 +244,97 @@ def test_configuration(self):
         TODO not sure if it is feasible (because there are different possible IdPs),
         but it would be nice if we could test the login from automatically
         """
+
+
+class DigiDConfigurationStep(BaseConfigurationStep):
+    """
+    Configure DigiD via SAML
+    """
+
+    verbose_name = "Configuration for DigiD via SAML"
+    required_settings = [
+        "DIGID_CERTIFICATE_LABEL",
+        "DIGID_CERTIFICATE_TYPE",
+        "DIGID_CERTIFICATE_PUBLIC_CERTIFICATE",
+        "DIGID_CERTIFICATE_PRIVATE_KEY",
+        "DIGID_METADATA_FILE_SOURCE",
+        "DIGID_ENTITY_ID",
+        "DIGID_BASE_URL",
+        "DIGID_SERVICE_NAME",
+        "DIGID_SERVICE_DESCRIPTION",
+    ]
+    all_settings = required_settings + [
+        "DIGID_WANT_ASSERTIONS_SIGNED",
+        "DIGID_WANT_ASSERTIONS_ENCRYPTED",
+        "DIGID_ARTIFACT_RESOLVE_CONTENT_TYPE",
+        "DIGID_KEY_PASSPHRASE",
+        "DIGID_SIGNATURE_ALGORITHM",
+        "DIGID_DIGEST_ALGORITHM",
+        "DIGID_TECHNICAL_CONTACT_PERSON_TELEPHONE",
+        "DIGID_TECHNICAL_CONTACT_PERSON_EMAIL",
+        "DIGID_ORGANIZATION_URL",
+        "DIGID_ORGANIZATION_NAME",
+        "DIGID_ATTRIBUTE_CONSUMING_SERVICE_INDEX",
+        "DIGID_REQUESTED_ATTRIBUTES",
+        "DIGID_SLO",
+    ]
+    enable_setting = "DIGID_ENABLE"
+
+    def is_configured(self) -> bool:
+        config = DigidConfiguration.get_solo()
+        return bool(
+            config.certificate
+            and config.metadata_file_source
+            and config.entity_id
+            and config.base_url
+            and config.service_name
+            and config.service_description
+        )
+
+    def configure(self):
+        config = DigidConfiguration.get_solo()
+
+        # Use the model defaults
+        form_data = {
+            field.name: getattr(config, field.name)
+            for field in DigidConfiguration._meta.fields
+        }
+
+        # Only override field values with settings if they are defined
+        for setting in self.all_settings:
+            value = getattr(settings, setting, None)
+            if value is not None:
+                model_field_name = setting.split("DIGID_")[1].lower()
+                if model_field_name.startswith("certificate"):
+                    continue
+
+                form_data[model_field_name] = value
+
+        certificate, _ = Certificate.objects.get_or_create(
+            label=settings.DIGID_CERTIFICATE_LABEL,
+            defaults={
+                "type": settings.DIGID_CERTIFICATE_TYPE,
+                "public_certificate": settings.DIGID_CERTIFICATE_PUBLIC_CERTIFICATE,
+                "private_key": settings.DIGID_CERTIFICATE_PRIVATE_KEY,
+            },
+        )
+
+        form_data["certificate"] = certificate
+
+        request = RequestFactory().get("/")
+        digid_admin = DigidConfigurationAdmin(DigidConfiguration, AdminSite())
+        form_class = digid_admin.get_form(request)
+
+        form = form_class(data=form_data)
+        if not form.is_valid():
+            raise ConfigurationRunFailed(
+                f"Something went wrong while saving configuration: {form.errors}"
+            )
+
+        form.save()
+
+    def test_configuration(self):
+        """
+        TODO not sure if it is feasible (because there are different possible IdPs),
+        but it would be nice if we could test the login from automatically
+        """

src/open_inwoner/configurations/tests/bootstrap/files/digid-metadata.xml

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="_8aeffce5e70efe56f47d80f1f0322e9a5dbf6bf0" entityID="https://was-preprod1.digid.nl/saml/idp/metadata"><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_8aeffce5e70efe56f47d80f1f0322e9a5dbf6bf0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds saml samlp xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>NoOIwQlJT+i8sPfoZAqpxlGTh7hqWVGeVHcu9vhQ+xA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ixScWp/yrGs4LRQHqnF9Zr/Jn1MOIS5TwiWwiUc3d5sv+jMbVFGSw4fHE0Yu6yp5kOajK3wCY8TbfcIb++na5XWlHDfMD3MhiNBTdr2vIw6tdqetSCng02r5BQN1wug1qH1RY8FRH39X0opOVbs/V9HsCoquRvVRxjidz9L5Q3PNx/VPGHWkW4iclJKsJT4UPqTR6ZQww3Krd7XzUA3pnTx97WxJegfwmg70H/WQiasV1eI4tWm3PFHhhS2TuVshxoWxa2Qzz6HHYsOX+jWVnL9M3YF/RXuoMdt3cOtde7/EX6Cw2r50hAODnClQgRoxuPMBhdTXAyq6NirmPR9dKg==</ds:SignatureValue><ds:KeyInfo><ds:KeyName>7593b799e735055fcd479caa35d44d455576cefc</ds:KeyName></ds:KeyInfo></ds:Signature><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>7593b799e735055fcd479caa35d44d455576cefc</ds:KeyName><ds:X509Data><ds:X509Certificate>MIIG+zCCBOOgAwIBAgIUJmQio80TiqOX3LMrbzeG1dh0ngEwDQYJKoZIhvcN
+AQELBQAwgYAxCzAJBgNVBAYTAk5MMSAwHgYDVQQKDBdRdW9WYWRpcyBUcnVz
+dGxpbmsgQi5WLjEXMBUGA1UEYQwOTlRSTkwtMzAyMzc0NTkxNjA0BgNVBAMM
+LVF1b1ZhZGlzIFBLSW92ZXJoZWlkIFByaXZhdGUgU2VydmljZXMgQ0EgLSBH
+MTAeFw0yMzA5MjExOTEyNTlaFw0yNjA5MjExOTA3MDBaMF4xCzAJBgNVBAYT
+Ak5MMQ8wDQYDVQQKDAZMb2dpdXMxHTAbBgNVBAUTFDAwMDAwMDA0MTY2OTA5
+OTEzMDAwMR8wHQYDVQQDDBZzYW1sLXNpZ24ucHAxLmRpZ2lkLm5sMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5r8GtcRfX3UN3f7I8Iobhy/N
+U0Y+MV6DEXTmDRvRDZjwjr6ammB/cd1fsDz7D5CU+eax205aDRH69mMZk11x
+cIKDjISvtBFLQVxwWXgTGpUSBogFHfp70/yfvcC7vq8gE7zjRN9gNzZCC0Ak
+D7ZwAfFBbwI9nBSiMby9MY41MjS/W10uik1I6s5Ok2u/WfUe6FjcnaoU1O7O
+tpJGAkW/yDC5HWypqeTG1fSPee/0GjvU8FH+Bu73fAFHa86KSO15eaCUR6Ea
+7qCjpLsfPizweP9Adehlal1blfxsfJdFunq/jnO8NhYnQ7DC0aBd6ET8Wo/O
+1ZacGsYmJWq9dqeleQIDAQABo4ICjDCCAogwHwYDVR0jBBgwFoAUuWymE7q7
+LzRjgzEu+X5JHd8A9WMwfQYIKwYBBQUHAQEEcTBvMD4GCCsGAQUFBzAChjJo
+dHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3BraW9wcml2c2Vydmcx
+LmNydDAtBggrBgEFBQcwAYYhaHR0cDovL3NsLm9jc3AucXVvdmFkaXNnbG9i
+YWwuY29tMCEGA1UdEQQaMBiCFnNhbWwtc2lnbi5wcDEuZGlnaWQubmwwggEw
+BgNVHSAEggEnMIIBIzCCAR8GCmCEEAGHawECCAYwggEPMDQGCCsGAQUFBwIB
+FihodHRwOi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MIHW
+BggrBgEFBQcCAjCByQyBxlJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUg
+YnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgcmVsZXZh
+bnQgUXVvVmFkaXMgQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
+YW5kIG90aGVyIGRvY3VtZW50cyBpbiB0aGUgUXVvVmFkaXMgcmVwb3NpdG9y
+eSAoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20pLjAdBgNVHSUEFjAU
+BggrBgEFBQcDAgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0cDov
+L2NybC5xdW92YWRpc2dsb2JhbC5jb20vcGtpb3ByaXZzZXJ2ZzEuY3JsMB0G
+A1UdDgQWBBRZAjjqOD74qry7CXrnZUyjOI33CzAOBgNVHQ8BAf8EBAMCBaAw
+DQYJKoZIhvcNAQELBQADggIBABiPLzZxV8YAFV0OIvK35Qh11zDZYPEp09RN
+9NDsb+kOvShIBQirgejYA1SVZ73vMzFUmVNW/LyKoflH/N3ziU5NoMHK/31G
+yP3W5Ffeezo42wLqqv1Ttfod3Tg56LC/jZb0a7R4LoosfFuEvHwWM8vJO8oy
+IFuNSclSXOR0UArdeUl6fXsYExFOkdKgsrjcDBH+DOs/LlDPwL9qL3aK6vOG
+WMXlfaFfRVhmcqs1ZVXLc+ylyT2DKf96oQSXE/pIB/yCcl3MuG3Xb0mp4MEq
+AcAvEa4bIW0c1ULmlmxfw7F8rR2pVWN3wl8fqsxYxg6SNp3+ZKjOvX5GVGz+
+2nGWC+W2szqpRL/uvNWquSZaFHRiFkbJLtZNMy9HF7F0P62ler7BuZ4resb1
+l5d+rRRUocPwBv6GrBv6WE6QXpKkYZyuElkl7u3W+/L5UGaz+rAaMYJ1DdQL
+XgAdq4KIuh9VR/YsFpttXUz2ieRBm1s2t0otk/sr0zFT23mt22lVVSaHmfCB
+X8xCL9z8Y+XlbhPWhoXf8hvKI9KLcpf+e9OiS84+MYq4xJxoESNoq31oYirM
+I1g9TNGKXAKrXIv9laeinsIJnn7zhSFu0LWz8XuvjuxPXtPzi9mOh98wIp6H
++AbyNMBwYTQKpOAd8jsD6+2d1gK5WHtwce5cWxgVdo1czCvY
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo><ds:KeyName>7593b799e735055fcd479caa35d44d455576cefc</ds:KeyName><ds:X509Data><ds:X509Certificate>MIIG+zCCBOOgAwIBAgIUJmQio80TiqOX3LMrbzeG1dh0ngEwDQYJKoZIhvcN
+AQELBQAwgYAxCzAJBgNVBAYTAk5MMSAwHgYDVQQKDBdRdW9WYWRpcyBUcnVz
+dGxpbmsgQi5WLjEXMBUGA1UEYQwOTlRSTkwtMzAyMzc0NTkxNjA0BgNVBAMM
+LVF1b1ZhZGlzIFBLSW92ZXJoZWlkIFByaXZhdGUgU2VydmljZXMgQ0EgLSBH
+MTAeFw0yMzA5MjExOTEyNTlaFw0yNjA5MjExOTA3MDBaMF4xCzAJBgNVBAYT
+Ak5MMQ8wDQYDVQQKDAZMb2dpdXMxHTAbBgNVBAUTFDAwMDAwMDA0MTY2OTA5
+OTEzMDAwMR8wHQYDVQQDDBZzYW1sLXNpZ24ucHAxLmRpZ2lkLm5sMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5r8GtcRfX3UN3f7I8Iobhy/N
+U0Y+MV6DEXTmDRvRDZjwjr6ammB/cd1fsDz7D5CU+eax205aDRH69mMZk11x
+cIKDjISvtBFLQVxwWXgTGpUSBogFHfp70/yfvcC7vq8gE7zjRN9gNzZCC0Ak
+D7ZwAfFBbwI9nBSiMby9MY41MjS/W10uik1I6s5Ok2u/WfUe6FjcnaoU1O7O
+tpJGAkW/yDC5HWypqeTG1fSPee/0GjvU8FH+Bu73fAFHa86KSO15eaCUR6Ea
+7qCjpLsfPizweP9Adehlal1blfxsfJdFunq/jnO8NhYnQ7DC0aBd6ET8Wo/O
+1ZacGsYmJWq9dqeleQIDAQABo4ICjDCCAogwHwYDVR0jBBgwFoAUuWymE7q7
+LzRjgzEu+X5JHd8A9WMwfQYIKwYBBQUHAQEEcTBvMD4GCCsGAQUFBzAChjJo
+dHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3BraW9wcml2c2Vydmcx
+LmNydDAtBggrBgEFBQcwAYYhaHR0cDovL3NsLm9jc3AucXVvdmFkaXNnbG9i
+YWwuY29tMCEGA1UdEQQaMBiCFnNhbWwtc2lnbi5wcDEuZGlnaWQubmwwggEw
+BgNVHSAEggEnMIIBIzCCAR8GCmCEEAGHawECCAYwggEPMDQGCCsGAQUFBwIB
+FihodHRwOi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MIHW
+BggrBgEFBQcCAjCByQyBxlJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUg
+YnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgcmVsZXZh
+bnQgUXVvVmFkaXMgQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
+YW5kIG90aGVyIGRvY3VtZW50cyBpbiB0aGUgUXVvVmFkaXMgcmVwb3NpdG9y
+eSAoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20pLjAdBgNVHSUEFjAU
+BggrBgEFBQcDAgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0cDov
+L2NybC5xdW92YWRpc2dsb2JhbC5jb20vcGtpb3ByaXZzZXJ2ZzEuY3JsMB0G
+A1UdDgQWBBRZAjjqOD74qry7CXrnZUyjOI33CzAOBgNVHQ8BAf8EBAMCBaAw
+DQYJKoZIhvcNAQELBQADggIBABiPLzZxV8YAFV0OIvK35Qh11zDZYPEp09RN
+9NDsb+kOvShIBQirgejYA1SVZ73vMzFUmVNW/LyKoflH/N3ziU5NoMHK/31G
+yP3W5Ffeezo42wLqqv1Ttfod3Tg56LC/jZb0a7R4LoosfFuEvHwWM8vJO8oy
+IFuNSclSXOR0UArdeUl6fXsYExFOkdKgsrjcDBH+DOs/LlDPwL9qL3aK6vOG
+WMXlfaFfRVhmcqs1ZVXLc+ylyT2DKf96oQSXE/pIB/yCcl3MuG3Xb0mp4MEq
+AcAvEa4bIW0c1ULmlmxfw7F8rR2pVWN3wl8fqsxYxg6SNp3+ZKjOvX5GVGz+
+2nGWC+W2szqpRL/uvNWquSZaFHRiFkbJLtZNMy9HF7F0P62ler7BuZ4resb1
+l5d+rRRUocPwBv6GrBv6WE6QXpKkYZyuElkl7u3W+/L5UGaz+rAaMYJ1DdQL
+XgAdq4KIuh9VR/YsFpttXUz2ieRBm1s2t0otk/sr0zFT23mt22lVVSaHmfCB
+X8xCL9z8Y+XlbhPWhoXf8hvKI9KLcpf+e9OiS84+MYq4xJxoESNoq31oYirM
+I1g9TNGKXAKrXIv9laeinsIJnn7zhSFu0LWz8XuvjuxPXtPzi9mOh98wIp6H
++AbyNMBwYTQKpOAd8jsD6+2d1gK5WHtwce5cWxgVdo1czCvY
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://was-preprod1.digid.nl/saml/idp/resolve_artifact" index="0"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod1.digid.nl/saml/idp/request_logout"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod1.digid.nl/saml/idp/request_authentication"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod1.digid.nl/saml/idp/request_authentication"/></md:IDPSSODescriptor></md:EntityDescriptor>