Attendees:
Ivan, Giuseppe, Heather, Hannah, Roland, Scott, John P, Johan, Nikos
1 - Status of architecture documentation & Normalizing idpy projects (see email from Ivan, "Subject: [idpy-discuss] Normalizing across all projects”, 10 November 2020)
Before we make djangosaml2 part of idpy, we should have a stronger set of guidelines on what we expect in terms of managing a project (using semver, readthedocs, change logs, etc). Could also use something called “cookie cutter” which does several of the set up of these kinds of things for projects in GitHub. While we would not create new project spaces for projects that come in with their own repository, it would allow for a type of model and technical documentation on how we think projects should look like. Note that this would let us to also normalize on how we handle issues, what labels we use, PR templates, a common FAQ, tooling to build and test packaging, boilerplate (README, LICENSE, etc)
• Example: https://github.com/SUNET/eduid-webapp/tree/master/cookiecutter-app
Ivan will continue to write up his thoughts in email.While Ivan can make these decisions for Satosa and pySAML2, need input from other maintainers.
Discussion:
• We can agree to semver and pep8, but some of the other things we’ve been talking about are very heavy for some of the smaller projects.
• Do we know who our customers are, and what they need? Will they be taking our libraries and using them to build their own use cases? Or are they looking for a packaged service they can just run? We can’t cater to both. Can we have two categories of rules? One size won’t fit all projects.
• What about change logs? They send a good signal to deployers about what to watch for when they upgrade (or help them decide if an upgrade is required).
Consensus:
• semver
• pep8
• readthedocs
• README and LICENSE files
• PR and issue templates (already exist)
• Change logs
3 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
New project for the documentation on session management (code is still in oidcendpoint). Since readthedocs can’t handle documentation for forks, this allows the publication of material before the code is even final. Has not pushed to readthedocs yet; will aim to have that done before the next call.
b. Satosa - https://github.com/IdentityPython/SATOSA
No changes.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
There was a bug in the redirect binding, where the request was also going to be signed. The problem is that by default, if the signing algorithm was not specified, the right parameters were not produced. This has been fixed. In the same PR will be Giuseppe’s work on configurable signing and digest algorithm (see https://github.com/IdentityPython/pysaml2/pull/744) Ivan will be pushing a commit with partial notes (in the form of bullet points) and other people involved will help turn that into proper documentation. We will need to refactor the whole process of signing, encryption, and decryption.
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Thanks! Heather
Hello everyone,
at the last idpy meeting, we started a discussion around normalizing
how idpy projects operate. The goal is to agree on a baseline on how
we treat different project aspects and how we can harmonize those in
order to give users uniform expectations. A user that is familiar with
how project-x works, should automatically be familiar with how
project-y works when they decide to use that too. The first step is to
agree on guidelines, and then have each project steadily work its way
to that. In the process, we should effectively be cultivating a
culture on how we manage projects, and not blindly follow policies.
The initial discussion started around documentation, versioning and
changelogs. Many more things can and should be discussed. Those
include topics such as tooling, CI/CD, testing, packaging, release
schedules, issues management, git-workflow, etc. I will expand on some
of those topics and we can further discuss in this or separate threads
or in the following calls about each one.
## Documentation
I think we can all agree that documentation is important and needed. I
make a distinction between documentation whose audience is a user and
documentation whose audience is a developer. The user-documentation
consists mainly of the project API, how it is used, and use-case
scenarios. The developer-documentation consists of architectural
diagrams, design choices, separation of entities, and general guidance
on how modules are separated and code is organized.
Being part of the python community, the natural tool around
documentation is https://readthedocs.org/. Readthedocs works in tandem
with Git(Hub) projects, and can automatically be kept in sync with a
repo.
- Do we agree to use https://readthedocs.org/ to publish documentation?
- Should we request PRs to include documentation? or, should we
fill-in the documentation when creating a new release?
## Managing change
### Versioning
What we actually want to do with versioning is _signal_ the type of
changes that are part of a new release. The most common versioning
scheme is semantic versioning (https://semver.org/) - other things out
there include CalVer (https://calver.org/) Apache versioning
(https://apr.apache.org/versioning.html) and more. However, I think
semver is quite common and probably everyone will agree that it's
fine. Most importantly it achieves the goal of signaling in a simple
way:
> Given a version number MAJOR.MINOR.PATCH, increment the:
>
> - MAJOR version when you make incompatible API changes,
> - MINOR version when you add functionality in a backwards
> compatible manner, and
> - PATCH version when you make backwards compatible bug fixes.
>
> Additional labels for pre-release and build metadata are available
> as extensions to the MAJOR.MINOR.PATCH format.
- Do you think we should use semver?
### Changelog
Same as with documentation, the Changelog comes in two flavours - the
changelog that is intended for developers, and the changelog that is
intended for users (aka release notes). The technical-changelog is the
VCS-log itself and contains purely technical entries on how the code
was modified to achieve a certain effect. We have the technical
changelog for free.
On the other hand, the user-changelog has the form of a set of release
notes. The release notes should be enough to explain what’s going on
to someone deploying the package, or to a user that wants to use new
functionality - it is a summary of the new release value. This type of
changelog cannot be autogenerated, and we must write and curate by
hand. As with versioning, there are some formats out there, but I
think something like keepachangelog (https://keepachangelog.com/) is
easy to use and very close to what most of us would end up with while
trying to specify a consistent format.
When should the user-changelog be updated? Usually this is done either
at release-time.
- Should we maintain a changelog/release-notes?
I will continue this subject with more topics, soon. I'm looking
forward to your thoughts!
Cheers,
--
Ivan Kanakarakis
Attendees:
Ivan, Heather, Giuseppe, Johan, Roland, John, Hannah, Matthew, Christos, Leif
Regrets:
Scott
1 - Status of documentation
Hannah is still working on the pySAML2 documentation.
Scott K is working on reorganizing the documentation he’s written on GitHub (how readthedocs is organized and presented)
No update on the architecture documentation, but it is coming up in priority.
Board considers documentation (both user and developer) critical as a way to grow the community.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Regarding documentation, we need a central site that describes how it all fits together. Could we use readthedocs for this? Possibly, but we would need link from the project sites to the documentation site.
We have some new people programming in this space: Ori Mizrahi and David Hess.
Roland is working with the session management backend.This is mostly working; focusing on the tests now to make sure it works in all cases. When that’s done, it will be very different from the old version. Documentation will be absolutely required (background, design choices, how to use it in context). See branch “new session handling” in https://github.com/IdentityPython/oidcendpoint
b. Satosa - https://github.com/IdentityPython/SATOSA
Within eduTEAMS, had an incident that may be related to the memory leak. Unclear, and no more info is available.
We have a contribution for an apple signing backend.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Ivan is working through the algorithm PRs (744 and 745). They aren’t quite passing tests, but as soon as those are sorted, they will be merged.
• https://github.com/IdentityPython/pysaml2/pull/744
• https://github.com/IdentityPython/pysaml2/pull/745
Namespace prefix changes to make them more readable. This is mostly a “nice-to-have”.
• https://github.com/IdentityPython/pysaml2/pull/326
• https://github.com/IdentityPython/pysaml2/pull/625
Priority list:
• Make algorithms configurable, enforcing the policies (see https://github.com/IdentityPython/pysaml2/pull/744 and 745)
• Getting away from xmlsec1 and instead working in memory. Expect we will switch to lxml.
• Architecture documentation
AOB
• At the Board meeting, we talked about normalizing some things across all projects. Example: documentation using readthedocs; how we manage changes and versions (e.g., semantic versioning); change logs. The group needs to discuss this further. We need to add these to future agendas (and to the mailing list) for discussion.
• The goal isn’t to enforce this harmonization immediately, but to give each project a direction to start making changes.
• If we use readthedocs, it is structured by projects, so even general documentation will need to be structured as a “project"
• For change logs, there is what’s automatically available with a revision control, but that doesn’t always describe adequately what actually happened. What may be more useful would be a set of release notes. The release notes should be enough to explain what’s going on to someone deploying the package, and gitlog is what you need as a developer to understand what’s going on. We have discussed this and semantic versioning at a TIIME meeting in 2019. pySAML is not using semver because they decided to have Ivan only work on the current/future work, and only back ports handled the patch version.
• Ivan will post a summary and a recommendation around this discussion re: versioning and change logs to the list.
Thanks! Heather
Hello all,
Our dev call scheduled for 27 October is cancelled. If you have any urgent questions or issues, please drop a note to the appropriate slack channel. Otherwise, see you on 10 November!
Thanks! Heather
Attendees:
Ivan, Matthew, Heather, Hannah, John P, Giuseppe
Regrets:
Scott
1 - Status of documentation
Hannah Sebulibah will be meeting with Ivan to figure out where to start on documentation. Will likely start from the current configuration, which will help with cleaning up existing options and fixing the defaults. The API will also need help, but that’s a much bigger project and Ivan needs to do some work first. Scott has also started creating issues with where he wants to work on items.
pySAML2 has a readthedocs connection, and we need to reorganize the top-level headers. What’s there is mostly about the configuration options, and it is missing material.
We could also use the minimal working example of an IdP; Matthew has a gist about this.
Satosa does not have a readthedocs connection; nothing generates documentation. Readthedocs can use markdown, which will be less work on our side.
Ivan will also be updating the architecture docs, esp. around the middleware. Hasn’t gotten to that yet.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Recent focus in GitHub has been on oidcendpoint. The people involved in the OIDC project are debating frequent small releases vs larger, more complete releases with more thorough testing approx. once a month. When something is decided here, we should likely have the same policies across all the projects. We can also focus on pre-releases. A goal is to have automated testing and release with each tag. Suggest we focus on following the change log format guidelines as here: https://keepachangelog.com/
Roland is working on a new session back-end. There is some concern that this may result in a breaking change.
b. Satosa - https://github.com/IdentityPython/SATOSA
Memory leak still a mystery.
Should probably have its own key manager that is shared between its front ends and back ends.
We have some merge requests, mainly around documentation, with a bit about the plop front end.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Will be working on automated pre-releases.
Have been updating based on current issue list and some PRs. See:
• https://github.com/IdentityPython/pysaml2/issues/720#issuecomment-700694146
• https://github.com/IdentityPython/pysaml2/pull/727 - logout response location
• https://github.com/IdentityPython/pysaml2/pull/728 - logout response location
• https://github.com/IdentityPython/pysaml2/pull/704 - default name format
• https://github.com/IdentityPython/pysaml2/pull/721 - Increase key size in demo key generation (note this is probably still too small; proper fix is to switch algorithms
• See also: https://github.com/IdentityPython/pysaml2/issues/712 to support switching algorithms
• https://github.com/IdentityPython/pysaml2/pull/597 - needs to be expanded to include enforcement
• Using a key manager would make handling keys easier, but it is not a priority
Priority list:
• Make algorithms configurable, enforcing the policies
• Getting away from xmlsec1 and instead working in memory. Expect we will switch to lxml.
Thanks! Heather
Hello everybody,
As you may have guessed from the subject of this email, I have the pleasure
of presenting here djangosaml2, in anticipation of its migration to
Identity Python.
In CC Jozef Knaperek, former contributor of pysaml2 and person who from
2016 to date has maintained the fork of this project, now hosted in the
personal github, which today has a fair audience and satisfaction within
the Django community.
Here is:
https://github.com/knaperek/djangosaml2
As is evident, djangosaml2 is an application designed for Django Framework,
written above pysaml2 that presents closely related goals to this. This is
why we believe that bringing djangosaml2 to idpy can be quite natural, and
if we want it also advantageous, for the possibility of increasing its
community.
Currently the project is published on Pypi and the version release policy,
and acceptance of contributions, depends on validating the code by running
unit tests (Tox over Github actions). The coverage of djangosaml2 is
currently less than 80% in the v0.40.1 but higher than 90% for the v1.0.0
version (see branch of the same name). The latter is in the process of
being released and it might be a good opportunity to release it directly
within idpy.
The versions from v0.19.0 to v1.0.0 were made possible by a great
enthusiasm, which arose within its community, manifested following the
first interactions for the requalification of the project, as regards the
feedback offered both in the issues and in the PR pending. Having given so
much trust activated several contributors in a relatively short time makes
us optimistic about the general resilience of the project, such as to think
about the good health of its community and not least the possibility that
this project could hopefully continue to live on external contributions
only.
In any case, the people that are glad to present here djangosaml2, for whom
we undertake the commitment of a management over time, are Me and Knaperek.
I know that we have not written everything but rather we fear we have
written too much. We are available to answer in this thread on further
organizational and managerial aspects of the project.
Sure of your kind reply, we greet you
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it
--
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
<https://www.unical.it/portale/portaltemplates/view/view.cfm?100061>
Attending:
Heather, Ivan, Hannah Sebuliba, Scott, Roland, Matthew, John P, Giuseppe
Notes
1 - Status of architecture documentation
Ivan promises to write more down. Heather will continue to nag him until he does.
Has continue thinking about the middleware, and is planning on some restructuring and clarification of the Satosa docs.
We had collected use cases in the wiki (https://github.com/IdentityPython/SATOSA/wiki) and we also spoke about setting up docker containers to demonstrate those use cases. This is something others could do; if interested, please reach out to Ivan.
Also on the list, better documentation for the API which will serve as groundwork for future changes. We are using readthedocs for pySAML2 (see https://pysaml2.readthedocs.io/) but it focuses on the configuration options; needs more.
Team is encouraged to add a GitHub issue for sections of the documentation they are working on so we can keep track of what’s being created. Scott will take a first cut at the pySAML2 top level documentation, and will then write docs on how to spin up a minimal working example of IdP. Matthew will submit his manual install of Satosa documentation: https://gist.github.com/xenophonf/22d0ec836005040a9f7c7bb80b183eda. There is also a strong argument for shifting where we can to a Document Driven Development model, writing the documentation first, share it with others, then write the code.
2 - Potential new project for idpy - status?
a. https://github.com/knaperek/djangosaml2 - Giuseppe has sent an email to the list; Roland has indicated support. Heather will take this to the Board.
This is linked to pySAML2. Having a project that directly uses pySAML2 that allow people to quickly set up an IdP is a good way to help direct usability improvements for pySAML2.
3 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Roland is preparing an issue around session management with the oidcendpoint. He is writing docs on how it should work, and then will work on the code.
Ivan is working on CryptoJWK and will add a new CLI for the ‘use’ flag.
b. Satosa - https://github.com/IdentityPython/SATOSA
Memory leak is still a mystery. This may actually be a problem with gunicorn.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Giuseppe went through the open issues, closing several and making notes on others.
New merges: documentation; changed the default re: signatures; removed all the assertion calls.
Looking at replacing the calls to xmlsec1 and doing the same action in memory.
Ivan has not yet pu shed the changes for the default algorithms. Will switch to SHA-512.
Thanks! Heather
Hola a todos!
I want to highlight something from our meeting notes today: the need for more documentation.
Everyone is encouraged to add a GitHub issue for sections of the documentation they are working on so we can keep track of what’s being created.
Scott will take a first cut at the pySAML2 top level documentation, and will then write docs on how to spin up a minimal working example of IdP. Matthew will submit his manual install of Satosa documentation: https://gist.github.com/xenophonf/22d0ec836005040a9f7c7bb80b183eda.
Ivan will be working on improving the documentation for the APIs, but that can certain use some assistance.
If you are willing to spend a bit of time on this, the work would be most gratefully received!
Thanks! Heather
Attending:
Johan, Heather, Ivan, Hannah Sebuliba, Scott, John, Christos
Regrets:
Giuseppe
Notes
1 - Status of architecture documentation
No update since the last call.
For architecture in general, Ivan will be adding some patches for the middleware idea. The configuration will be part of the middleware; this will not be a breaking change. Also has some additional ideas to wrap parts of the applications (e.g., what we do with the micro services). This would allow easier to extend the micro services.
2 - Potential new project for idpy - status?
a. https://github.com/knaperek/djangosaml2
Notes from Giuseppe:
djangosaml2
Jozef Knaperek (the current repository owner) expressed a favorable opinion for the migration to idpy. I lost him during the holidays but it's probably right that it was! Watching djangosaml2's contributors we can see how many guys contributed in it and also in pysaml2. I think that this migration would be quite natural for many aspects, one of these is the opportunity to extend its community, abandoning the position of "mantainance fork" moving into a more proper and authoritative space. For those who do not know djangosaml2 this is the integration of pysaml2 in Django Framework, it help us creating a SAML2 SP in the full respect of pysaml2 approach. I am sure you have already given it a look. The latter commits have handled a SameSite cookie workaround, similar to which already seen in SATOSA and we are getting ready for a major release (v1.0.0) with a general code refactor (ClassView) and a better code coverage (>89%). v1.0.0 would be a LTS release and probably we'll have a RC for some months before do that. v1.0.0 would have also pysaml2 >=v6.1.0 as dependencies and we're facing pysaml2's breaking changes regarding this. Finally, I'm only a repository admin that are driving djangosaml2 best I can and, at last but not least, a real stakeholder, because I largely use it in my production contexts.
3 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Notes from Giuseppe:
I didn't still produced a debate in #oidc channel, but if I were did it I'd ask about the default policy that oidcendpoint have, regarding the requested scope against the supported or availables, for each RP. In that issue I tried to describe my (usually coloured) experience: https://github.com/IdentityPython/oidcendpoint/issues/73
The goal of this debate would be the possibility to configure the default behaviour (policy) in oidcsession, through oidcendpoint global configuration, that will let each platform administrator decide how to handle the release of unavailable or unallowed scopes.
That's a reference for this:
https://github.com/IdentityPython/JWTConnect-Python-OidcService/blob/51df9e…
Notes from Ivan:
There has been a bug in one of the underlying libraries for ECC crypto in the OIDC endpoints. It is not handling exceptions well. It is fixed, but there is not a release yet. When there is a release, need to force the use of the patch.
b. Satosa - https://github.com/IdentityPython/SATOSA
Ivan is reviewing current issues to come back up to speed.
Mostly working on middleware to add flexibility to what we do.
Ivan is considering the issue of multiple key descriptors - how can we define and coordinate keys? Currently the configuration is messy.
• See also: https://github.com/IdentityPython/SATOSA/issues/334
Merge requests under consideration:
• https://github.com/IdentityPython/SATOSA/pull/332 - dynamic requested attributes. Will be incorporated soon.
• https://github.com/IdentityPython/SATOSA/pull/231 - unsolicited front end work
Will just merge changes as long as they are not breaking changes. All breaking changes will be held and done in one release.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Potential memory leak. Ivan has been using a function trace library to find this (https://functiontrace.com/) It could not follow the forks or threads that were created, but there is a new release of the software that should be able to do that now. eduTeams has a test environment that has a test environment that Ivan will use to continue to track this issue down.
Several pending merge requests:
• https://github.com/IdentityPython/pysaml2/pull/711 - request signing. Very simple, should go through
• https://github.com/IdentityPython/pysaml2/pull/704 - Assumed name format for different attribute elements. The spec dictates that, by default if no format is set, it should be unspecified, which is not what we’re doing. This is a both a breaking change and a fix. This PR also points to https://github.com/IdentityPython/pysaml2/issues/601.
• https://github.com/IdentityPython/pysaml2/pull/665 - how temp files work on Windows. Named temp files don’t work correctly on Windows. We need to wrap this in our own class/structure and detect when we’re using Windows and do things on our own on that system. We can either fix this or not use these files at all (doing these operations in memory), but the library that provides the bindings only has bindings for signing not encryption.
• https://github.com/IdentityPython/pysaml2/pull/660 - allows multiple certificate files. Ivan will be making some changes to the code.
• https://github.com/IdentityPython/pysaml2/pull/645 and https://github.com/IdentityPython/pysaml2/pull/628 - need to change the default algorithms and make them configurable. Will not support MD5 at all. It is easy to display what we support but harder to do internally. These are still a work in progress.
• See also: https://github.com/IdentityPython/pysaml2/issues/712 - the user is using ECC keys for the signing, but internally we assume RSA keys
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Next call: 15 September 2020
Thanks! Heather
