Merge pull request #35 from rohe/updated_policy_handling

Updated policy handling

setup_federation/README_identity.rst

@@ -0,0 +1,231 @@
+########################################
+OpenID federation as Identity Federation
+########################################
+
+The federation consists of the following entities:
+
+* trust anchor
+* trust mark issuer
+* OpenID Connect Provider
+* OpenID Relying Party
+
+In this example all the entities are running on the same machine.
+It is of course not necessary to do so.
+If you run the entities on separate machines you have to move the necessary
+files inbetween them. You also have to change **entity_id**, **port** and **domain**
+in the relevant conf.json file.
+
+Start by setting up the trust anchor.
+
+Trust Anchor
+------------
+
+The configuration of the trust anchor can be found in the *trust_anchor* directory.
+Consists of two files
+
+* conf.json
+    The configuration of the entitys components
+* views.py
+    The webserver's (Flask) interface configuration
+
+The existence of those two file with exactly those names are necessary for this
+to work.
+
+To start running the trust anchor you have to do::
+
+    ./entity.py trust_anchor
+
+This will create a number of things in the *trust_anchor* directory
+
+* private
+    Where the JWKS representation of the private federation keys are kept
+* static
+    Where the JWKS representation of the public federation keys are kept
+* subordinate
+    A directory where information about subordinates are to be kept
+* trust_mark_issuers
+    A directory where information about trust mark issuers are kept.
+* debug.log
+    A log file
+
+All entities in the federation has to have some information about the
+trust mark. The information to pass along is collected by doing::
+
+    ./get_info.py -k -t https://127.0.0.1:7003 > trust_anchor.json
+
+This must be done while the Trust anchor is running.
+Of course if you have changed the entity_id of the trust anchor from
+https://127.0.0.1:7003 to something else you have to change this command accordingly.
+
+Now you're done with phase 1 concerning the trust anchor. So you can
+kill that process for the time being.
+
+Trust Mark Issuer
+-----------------
+
+To start running the trust mark issuer you have to do::
+
+    ./entity.py trust_mark_issuer
+
+A slightly different set of files/directories has been added
+
+* private
+    Where the JWKS representation of the private federation keys are kept
+* static
+    Where the JWKS representation of the public federation keys are kept
+* trust_anchors
+    A directory where information about trust anchors are kept
+* authority_hints
+    A file containing entity_ids of this entity's authority hints.
+    Note that there is also a authority_hints.lock file present you can safely
+    ignore it.
+* debug.log
+    A log file
+
+Now four things have to happen::
+
+1. Adding information about trust anchors
+2. Add authority hints
+3. Add information about the trust mark issuer as a subordinate to the trust anchor
+4. Add information about the trust mark issuer as a trust mark issuer to the trust anchor.
+
+The first two are simply::
+
+    ./add_info.py -s trust_anchor.json -t trust_mark_issuer/trust_anchors
+    echo -e "https://127.0.0.1:7003" >> trust_mark_issuer/authority_hints
+
+The third would look like this::
+
+    ./get_info.py -k -s https://127.0.0.1:6000 > tmp.json
+    ./add_info.py -s tmp.json -t trust_anchor/subordinates
+
+The fourth is presently done like this (may change in the future)::
+
+    ./issuer.py trust_mark_issuer > tmp.json
+    ./add_info.py -s tmp.json -t trust_anchor/trust_mark_issuers
+
+That should do it for the trust mark issuer.
+If you now restart it it should have all the necessary information to be part of the federation.
+
+**Note** The same goes for these commands as was noted above. If you change the
+entity_id of the trust anchor or the trust mark issuer you have to change the
+command parameters accordingly.
+
+OpenID Connect Provider
+-----------------------
+
+Much the same as for the trust mark issuer.
+To start running the wallet provider you have to do::
+
+    ./entity.py openid_provider
+
+A slightly different set of files/directories has been added
+
+* private
+    Where the JWKS representation of the private federation keys are kept
+* static
+    Where the JWKS representation of the public federation keys are kept
+* trust_anchors
+    A directory where information about trust anchors are kept
+* authority_hints
+    A file containing entity_ids of this entity's authority hints.
+    Note that there is also a authority_hints.lock file present you can safely
+    ignore it.
+* debug.log
+    A log file
+
+Now four things have to happen::
+
+1. Adding information about trust anchors
+2. Add authority hints
+3. Add information about the wallet provider as a subordinate to the trust anchor
+
+The first two are simply::
+
+    ./add_info.py -s trust_anchor.json -t wallet_provider/trust_anchors
+    echo -e "https://127.0.0.1:7003" >> wallet_provider/authority_hints
+
+The third would look like this::
+
+    ./get_info.py -k -s https://127.0.0.1:4004 > tmp.json
+    ./add_info.py -s tmp.json -t trust_anchor/subordinates
+
+
+That should do it for the wallet provider.
+If you now restart it it should have all the necessary information to be part of the federation.
+
+**Note** The same goes for these commands as was noted above. If you change the
+entity_id of the trust anchor or the wallet provider you have to change the
+command parameters accordingly.
+
+OpenID Relying Party
+--------------------
+
+Much the same as for the openid provider.
+To start running the relying party you have to do::
+
+    ./entity.py relaying_party_explicit
+
+A slightly different set of files/directories has been added
+
+* private
+    Where the JWKS representation of the private federation keys are kept
+* static
+    Where the JWKS representation of the public federation keys are kept
+* trust_anchors
+    A directory where information about trust anchors are kept
+* authority_hints
+    A file containing entity_ids of this entity's authority hints.
+    Note that there is also a authority_hints.lock file present you can safely
+    ignore it.
+* debug.log
+    A log file
+
+Now four things have to happen::
+
+1. Adding information about trust anchors
+2. Add authority hints
+3. Add information about the wallet provider as a subordinate to the trust anchor
+
+The first two are simply::
+
+    ./add_info.py -s trust_anchor.json -t relaying_party_explicit/trust_anchors
+    echo -e "https://127.0.0.1:7003" >> relaying_party_explicit/authority_hints
+
+The third would look like this::
+
+    ./get_info.py -k -s https://127.0.0.1:4002 > tmp.json
+    ./add_info.py -s tmp.json -t trust_anchor/subordinates
+
+
+That should do it for the wallet provider.
+If you now restart it it should have all the necessary information to be part of the federation.
+
+**Note** The same goes for these commands as was noted above. If you change the
+entity_id of the trust anchor or the wallet provider you have to change the
+command parameters accordingly.
+
+Finalizing the setup
+--------------------
+
+At this point, if you have followed the steps above, you should restart the trust anchor.
+I should not be necessary to do so but just in case.
+
+
+Creating a trust mark for an entity
+-----------------------------------
+
+For this the script *create_trust_mark.py* is included.
+Typical usage::
+
+    ./create_trust_mark.py -d trust_mark_issuer -m https://refeds.org/category/personalized -e https://127.0.0.1:4002
+
+
+usage: create_trust_mark.py [-h] [-d DIR_NAME] [-e ENTITY_ID] [-m TRUST_MARK_ID] ::
+
+    options:
+      -h, --help            show this help message and exit
+      -d DIR_NAME, --dir_name DIR_NAME The directory of the trust mark issuer
+      -e ENTITY_ID, --entity_id ENTITY_ID The target of the Trust Mark
+      -m TRUST_MARK_ID, --trust_mark_id TRUST_MARK_ID
+

setup_federation/README.rst → setup_federation/README_wallet.rst

@@ -56,7 +56,7 @@ This must be done while the Trust anchor is running.
 Of course if you have changed the entity_id of the trust anchor from
 https://127.0.0.1:7003 to something else you have to change this command accordingly.
 
-Now your done with phase 1 concerning the trust anchor. So you can
+Now you're done with phase 1 concerning the trust anchor. So you can
 kill that process for the time being.
 
 Trust Mark Issuer

setup_federation/entity.py

@@ -22,6 +22,9 @@ def init_app(dir_name, **kwargs) -> Flask:
     app = Flask(name, static_url_path='', **kwargs)
     sys.path.insert(0, dir_path)
 
+    # Session key for the application session
+    app.config['SECRET_KEY'] = os.urandom(12).hex()
+
     entity = importer(f"{dir_name}.views.entity")
     app.register_blueprint(entity)
 

setup_federation/openid_provider/certs/cert.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE1jCCAr6gAwIBAgIJAKfFQiMtLzHBMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC2V4YW1wbGUuY29tMB4XDTIwMDIwMzE1MzIzOVoXDTMwMDEzMTE1MzIzOVow
+FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQC5AlQs6EvAklf4ca/dJCpep1cGNTuZl+8AvZ7TgUbbANet3sG1n0gP
+msqLtuXonrGpcWi5iXEvj5ukezTGyTp0gfSXswO5ZaZIwZIV+SVftatvk6gv+kEJ
+xnnPHrte362XfKnJ2CHa2ONvWH0hsfYEZI0XAnUrMjis6MLakBvVObRn0/Bamnbn
+oKUbm2XbykoNjejEY6GXzDZvusjZMbj3nj6zFfC3J8COLRlHA5plf5Ji02nG+Hbu
+jQjMF3RABkf+iILI6AF0wvwuzaYIP2iZs0SrRASqLIv1cf/r3WVeMb/T6pSG8hOq
+EZIQLLS4fpQLrXfjD9x8eLHvQycDQkpfYspuy1OGKc8Iz6D6P7Kw3rTZTU9AWCSp
+I+xxiZMCXwBobthCdfhzEZKlf6vCqW/b08dDS2e5VeM77GaMRv+MWJ83bvv9Rn4+
+lJJhVuRLeAeEwaaEA63g1mSJ33lvUmdkLLhLp5YCLvEA1aBzlnj58VXIeoWyo51D
+nRPrtSHbLXhC8z1vJkC7G3+P92K+KQmtK0ESdjvuiPePUQwoadrr5EZxTYDPXzxV
+An1wY6HB+XTy923h4QA0K38RsYQfpRSnwZim9gKpcj584eS4+V9+/G8K9jApgn2+
+mjlaIz90qqHVm2MYQWiWtzAmk2NYXrY7uNyHBkpHw5F4Y3Gy1wWgeQIDAQABoycw
+JTAjBgNVHREEHDAaggtleGFtcGxlLmNvbYILZXhhbXBsZS5uZXQwDQYJKoZIhvcN
+AQELBQADggIBAICzblWmzH9ExIbjkGifLLT5BOdH7ZNceoMZyjKfN3Rfc5SrHiPV
+VlWCFeVtfI5ClIaRqroKCRmsbAtIC30u52WrQkSFvsKOhOyOwiH3afbLqHcq8sZf
+1HpJqe3kx15mlX/ZnovqCTEaW+oDvNis8uQ4DQ8hRZYwnAdr8U8w1bFzcDkai4e8
+40aTwdTQnzj968KP0HRj1Jj29OR231KZpQruG+uAlSPSGa3V2jxD+FXezOd4clCD
+3JbeVEoj62DbUyXqje9TcNapFLtEmhCW/grOwi8AQECec3aZSQOaPT33vay7ws00
+UkNFRCsarMFSvcUSqEhJGKbjrh1p6guqLZxDwSOC2oqJpDMMpekfgQNTUO8BFqEg
+7+//Nw8TugCcXw5vveUlcduwt8j8a5Jtj8uNRWce6cJ4ZaGTCpign8FYRi2lUEdA
+dfJOyTajvstEy3zeFMnKAqWa10slHIsLSC5KzEkhgChuTNgXEPKn8ccF9s4bWq3c
+l/MFDxr0X0IC8ihOtWQPdtOtjBA29UtpGhYWJ8C9m8MRzVcTszrKatVe9jjst/oi
+YnZrJbEPhpMvIcmICSCfY2rtDTVd6urRewma+5bbgncroFp6gFCoxT69rOzsdj5U
+RBwQifnbVWLxSK+UhhLJyZLChmCTdsGa8v8xCpGf97Gue5l99l7MfKSZ
+-----END CERTIFICATE-----

setup_federation/openid_provider/certs/example.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEvjCCAqagAwIBAgIJAPzktJKkVjyWMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCTEyNy4wLjAuMTAeFw0yMDAyMDMxODU1NTZaFw0zMDAxMzExODU1NTZaMBQx
+EjAQBgNVBAMMCTEyNy4wLjAuMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAMImFTNFtJuJKj93E4qakRFtJZv1fuuqE85WOF2bv2UMttuYiwgcm6XdIa+T
+mYchDTZJCm+b+FsB8DRrh57YGkwQhoinRN6RKxEV7QlyiWeQ+cSc6E4NmqMzvJ1q
+GiXgiTXMyZFDKOY7ueINw1URGYaBCcot1STpQWcDH9sQhEBema6CDyG/7swGhwR/
+GjXM1KMdE60nk6Fs5+zYfbMQtU7TN8bNY0vyhIx7B3lEPh61Wu+5szdRJJP6n5+P
+x/G+SbTaDeLZo2QGY1Bfvhr4x8nN1tQv3sGJZpahrSDhx4krHRggVLyWVwlME7Am
++zCRkljm42N5bcjzFOtlY8LhMeT5TfoLG0PMCw0WITTjNC4vUEGbkSM8xqZq++Al
+v9KhCVqD5/jNkSqns24bUGOCIxaKyuH6xFbcVH17GvqzNUuVdAD334qIuvAAaNQP
+vW6bMMAbVHEkDYDX2m0XSgMCqu1Sxs9vkhgSJwLodEnSGFBZUnQw5LjOFB8bB4x4
+auI/GkSYBlrNOfyYsqODSdrl+erLDY2Hix6xqV1C0xyOljYSwV09UNmmgDiexqyp
+hwRv0Yi1PhU7mF2HFpJHZ2NNWih8dqMy5rjBzxsh+r9XIwFAWTavNBo04tMh1e8J
++PCV0FcFPjszsVLi/6Y+492EAnCeSpjjKXhKslwvAFDr6NslAgMBAAGjEzARMA8G
+A1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAGQyPrG+/jevDn2ZP7xP
+GKd7MZFj0qBwfQin0EgpYVTeTlDPaF6rG66HTnO3CFiwvzEN8CpuF1xLIzLZtZdL
+mWx5isl04MPhyBc2pht95sYPLuhuFa1syYhWDCv6Xf0g15T6THw44+/V5ERO8jTe
+anVr4OLC+q2QIalhs35SOTzlQa2WieS0d+kz8LEd3zw2gt/4AVwqlqnUkIi0IE99
+EOWIc6nllkARKduiB3h4H+yrdYJLnR01V+I0BdsotsaJ3eH0weZ/iFpLWvgErLG5
+ATxFXbbrY4LJhKbEzP8qCYF96LwGfOrOqOHnxW6EO4gnZVPnbwjrf4UKGFrgrz4p
+st7dAigatKq6Y9TEM0vAhc98cDMqWq6Jln/UVKqAkH40P9etI2y3IL28A4rp9Kxe
+jOBzIsr/0Cl7bvZNpCZ3kdTAF8vBKV63UVngIU5vFKre6l3bPRayZbKc/rgUfN+v
+GKNMVe7NQAoNWhq1Ilt8V+HccNtFSeJi41f0nzeuv/U3OwseG4si73awqv5vyrn8
+RiqWRuV1JNj1kRYU+1QP+grLlIyNqs3s3lvXeYmlkxEvmupnPJU1O95jAG4pigjT
+6Z8Qy4fyjMpfsOrdQMbKTtLOamY3zfQLuez/8zNhZcsARd3CVNa3TgqRNgKtfT45
+RR6BaKSg57NJI1iFrnbzjLoR
+-----END CERTIFICATE-----

setup_federation/openid_provider/certs/example.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDCJhUzRbSbiSo/
+dxOKmpERbSWb9X7rqhPOVjhdm79lDLbbmIsIHJul3SGvk5mHIQ02SQpvm/hbAfA0
+a4ee2BpMEIaIp0TekSsRFe0JcolnkPnEnOhODZqjM7ydahol4Ik1zMmRQyjmO7ni
+DcNVERmGgQnKLdUk6UFnAx/bEIRAXpmugg8hv+7MBocEfxo1zNSjHROtJ5OhbOfs
+2H2zELVO0zfGzWNL8oSMewd5RD4etVrvubM3USST+p+fj8fxvkm02g3i2aNkBmNQ
+X74a+MfJzdbUL97BiWaWoa0g4ceJKx0YIFS8llcJTBOwJvswkZJY5uNjeW3I8xTr
+ZWPC4THk+U36CxtDzAsNFiE04zQuL1BBm5EjPMamavvgJb/SoQlag+f4zZEqp7Nu
+G1BjgiMWisrh+sRW3FR9exr6szVLlXQA99+KiLrwAGjUD71umzDAG1RxJA2A19pt
+F0oDAqrtUsbPb5IYEicC6HRJ0hhQWVJ0MOS4zhQfGweMeGriPxpEmAZazTn8mLKj
+g0na5fnqyw2Nh4sesaldQtMcjpY2EsFdPVDZpoA4nsasqYcEb9GItT4VO5hdhxaS
+R2djTVoofHajMua4wc8bIfq/VyMBQFk2rzQaNOLTIdXvCfjwldBXBT47M7FS4v+m
+PuPdhAJwnkqY4yl4SrJcLwBQ6+jbJQIDAQABAoICAQCf6LQPfftLHEfi7BX5VGPm
+AYs3kJWQT45upc9ZMn4LIdS+vD7PWJjOnXswXRbYGN4D91cUJFgDxW3uDx8uMvo9
+6mKUzYjI9LKPKQsKe/82gU9npIEmQMg8YdGZqhmNVwpMeLcQ4UsfjtQEn6diOmpW
+wZOppeRnuYN38DfdvBXh2skj1dXWy3pJK5srlfClnWcKTlm1heJv0/6Wsp2dzkY3
+fXr0UJjXphGMj4zRUecEbgVPbBlzl27UP1oYF1ns//k/b1Z+oRmVujk0qxcuqfgM
+fHDUZfVIXP5VVSb+7Vfm387f30lL51wauUGCFilQkKYEeW+SsCI/oA977w+jJM5t
+Q1g1fxXBw6qG1Ynpw6XEJtr9WX8+TYOWllLraYdmpCnRHI0DhFPXoDzGgqU9+MUT
+u1ztYZI73FAzyAD/LID8NYc1hWP6ybLrlJAJwA3u7x8Ub1eYqysig6dXbGBfOcd5
+/TvbSePMi+XLAWBS9c+rtHN9gUnHDUFr1PwjVJ9BxW72RmsjCM6NRYHCrL/jAsaE
+Is+5U9GpiXkXIIBBVruHmnYUPuc2Rj8m9ELCI0vWgQsPJ3CQeBD3sRp7cRWZAQmS
+WnaVhv77X3nuUloxSk35Noa/Hs/DeT/KCMZY1dpuQGDvL8qMPYjYz+rczQTdGsfs
+1xXPhTtMBjlWxlA2/txogQKCAQEA+bj8IS1iHnWplvD+Jt/rlVqiMVE9OY7LROL1
+qQWUp1YrQK+2NWYm1FqTGCvq5Y6qs1HFtWtGr2TDhq56mvtxETl67CednnIwG3pm
+D3aAo4jrlJGLrAy6iSVHT5UsQYH/EGBxsI4+uVSyd1sGwblK+Ct1ta9IFpqVuLXF
+alkf4pmtM8goIf7z+2EwCE6OOg7H0XJ771fpB3OKc0hx5ZQ6uWHpmbrVcYFIIxbn
+uV00pplWkbLHppsp1shyPaQ9Li9TisFKpIZ5hgDFLWtbmdsnxObBtSU3h1UuIGlT
+mdtpM1B2xMc+Fb9NhIe1UOtrBN4U7LPMaUEhDoi5HsDs4kavRQKCAQEAxwd4GHn7
+pEb3t26NvFh496rjWaqtwdZhl4+vjvfnhSdKkZJIl5esKwHTVjb6gGKG4b9Eygc9
+96OTAfg+mhYyCKO81YIiWyxeXsUq740tQccCkfaRGDQoRXNlYSdZuZxxNBoJW5iG
+6HVnF3F7YHOT4lWs8DYzxjoIdHgud9mWD/QZMb8n+X/bkH57J/5Dxqx1g292+WUG
+KGN0K2w15J9mnybqr/2NDCG4djcLfkoLEGwJPvPwa59GslbDeDxjT/OZCliuO6Jo
+uDZI4ibWFeKXx+NmBogdM43FcTIYUtB8LJgraKtAevJzbmolcxPVyMtSm1uDd/k1
+e/tdEvSn2MTKYQKCAQAYifz8paEGrTlFA9l1qHtV6doWTo1dopKG6maJfWrmJqmJ
+abrV9HvMUjoyHd6vQB22EUsEUM5ZXeV4zpxtrlemAaf6nMn4T/A6QwTUcCij6Uh9
+CPBYr8eEwo0HXPlEVqnhyhhh6RhwzcnbwK4hSzv6twqSF+9ViUs9I1+K28cuVTuX
+4wtOi+cdxKcbqdyACAPKqR1Un6befJQWUAAhNzeuD9kMqjdfN/0GtbF/nZEW7ep7
+1r2XuZea64eOVx1L9IqZD/VtxWkbqee2Vt5heA+oYaSXUFjsi4pE1RTKAa2MxVNm
+cs2/BVVwuIUwtnGFwOz9dY2YqjW9X+IRC5Q7iAahAoIBACDzSZyzxUeDQEusD+cY
+tp46On2D1lR7C5kt/qCqxjezM5M6Jq6CO8y69qQVYg+TQEVrhxXzcPzopdPzp1mX
+Rx1LDl5CtzFk/RKvjdYvB0kWi4Riz860A97LpgMZoq8qCUvY66ewbtVZaoHlFcn4
+GImmKYVzU8sDnJa7tuW8ri1h+jHUNegGlPEtH3KVk972elYSRB4x7X0OShNOTPXW
+tgSvSrdsQMe7ZXCc2FhGJeLIIBe+BxWqPugTmTT0unRoHfQqjl3tG20z/4kBaPwi
+kYJUUXXPXxZD6GY/Juu+/G/dmYIwp/Iy5Y1oIV8V75TYpIp38iIQrhwil1wmCQvI
+OMECggEBAKb/hSBX7Z0sz0hbTPdUpQK/OWND8hKpkq+FqJxkQbzSesUk8DbCm8wz
+ciOLa6ssWu8le4nIDpcySTZSahXAZF7thI1l5S5kVGLz51dPfLMZnQff7Endykdj
+doGwS1BZows799AcccE5FxwH47/xMzGvM+hP/cn3uYU5f6DgMCGzQFz4pPx1SRN1
+ujb0io34/XV3ZtSitMSwqvucTDNzrKF9DBT65/XgUlz6uvlyWpf5ntmIykWUCexr
+NPPnAlAIPztWJ9uEEdTX/UVLP99IUESEgGZfmnUVXf9ixAB6buWmnFOtGutahPtC
+Fwjw1JIGykNEpzQej6jgYXXnqoL8pas=
+-----END PRIVATE KEY-----