From 4f3dc20b3102fec164830a3b1f1aa5f8859590e8 Mon Sep 17 00:00:00 2001
From: haburger <haburger>
Date: Wed, 4 Sep 2024 13:52:45 +0000
Subject: [PATCH] new configuration version

---
 ...8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml |  4 +--
 .../var/opt/nevisauth/default/conf/env.conf   |  2 +-
 ...nevisidm_admin_realm_extract_issuer.groovy | 16 +++++++++--
 ...idm_operations_realm_extract_issuer.groovy | 16 +++++++++--
 ...visidm-batch-641ac4edf0c17383d3c0ea38.yaml |  4 +--
 .../var/opt/nevisidm/default/conf/env.conf    |  2 +-
 .../k8s-idm-db-ca0629d86201d4c4ac857d60.yaml  | 27 +++++++++++++++++++
 ...visidm-admin-ba7c7a3b091df0c4b8ba0bb2.yaml |  8 +++---
 .../var/opt/nevisidm/default/conf/env.conf    |  2 +-
 .../default/conf/nevisidm-prod.properties     |  4 +--
 ...instance-idm-3bc06037962ad13be0a3a95d.yaml |  4 +--
 ...oxy-instance-bd83dfbd467e8211ffe71d28.yaml |  4 +--
 12 files changed, 73 insertions(+), 20 deletions(-)
 create mode 100644 DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-idm-db-ca0629d86201d4c4ac857d60.yaml

diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
index 3ba03ee..e72f982 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2405.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-e55486a997fb8f6cdab5eac835e6374e73b3824f"
+    tag: "r-a5b664b2c1f534aab19c8301f3618a8c5096d222"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/env.conf b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/env.conf
index 000317d..5a048d7 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/env.conf
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/env.conf
@@ -12,7 +12,7 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-default-tls-trust/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-default-tls-trust/keypass}"
 )
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_admin_realm_extract_issuer.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_admin_realm_extract_issuer.groovy
index 65de380..05df29d 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_admin_realm_extract_issuer.groovy
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_admin_realm_extract_issuer.groovy
@@ -2,8 +2,17 @@ import java.util.zip.Inflater
 import java.util.zip.InflaterInputStream
 
 def extractPost(String value) {
-    def decoded = new String(value.decodeBase64())
-    def xml = new groovy.xml.XmlSlurper().parseText(decoded)
+    if (value == null) {
+        return
+    }
+    String text
+    if (value.startsWith("<")) {
+        text = value
+    }
+    else {
+        text = new String(value.decodeBase64())
+    }
+    def xml = new groovy.xml.XmlSlurper().parseText(text)
     // according to the SAML spec Issuer is optional but we need it for dispatching
     def issuer = xml.depthFirst().find { it -> it.name().equalsIgnoreCase("Issuer") }?.text()
     session.put("saml.inbound.issuer", issuer)
@@ -40,6 +49,9 @@ if (inargs.containsKey("SAMLResponse")) {
 else if (inargs.containsKey("SAMLRequest")) {
     handleMessage("SAMLRequest")
 }
+else if (inargs.containsKey("soapheader")) {
+    handleMessage("soapheader")
+}
 else { // no incoming message.
     if (request.getCurrentResource().matches('^http[s]?\u003A//[^/]+/SAML2/ACS/.*$')) {
         LOG.debug("denying request without incoming message on ACS path")
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy
index 65de380..05df29d 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy
@@ -2,8 +2,17 @@ import java.util.zip.Inflater
 import java.util.zip.InflaterInputStream
 
 def extractPost(String value) {
-    def decoded = new String(value.decodeBase64())
-    def xml = new groovy.xml.XmlSlurper().parseText(decoded)
+    if (value == null) {
+        return
+    }
+    String text
+    if (value.startsWith("<")) {
+        text = value
+    }
+    else {
+        text = new String(value.decodeBase64())
+    }
+    def xml = new groovy.xml.XmlSlurper().parseText(text)
     // according to the SAML spec Issuer is optional but we need it for dispatching
     def issuer = xml.depthFirst().find { it -> it.name().equalsIgnoreCase("Issuer") }?.text()
     session.put("saml.inbound.issuer", issuer)
@@ -40,6 +49,9 @@ if (inargs.containsKey("SAMLResponse")) {
 else if (inargs.containsKey("SAMLRequest")) {
     handleMessage("SAMLRequest")
 }
+else if (inargs.containsKey("soapheader")) {
+    handleMessage("soapheader")
+}
 else { // no incoming message.
     if (request.getCurrentResource().matches('^http[s]?\u003A//[^/]+/SAML2/ACS/.*$')) {
         LOG.debug("denying request without incoming message on ACS path")
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/etc/nevis/k8s-nevisidm-batch-641ac4edf0c17383d3c0ea38.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/etc/nevis/k8s-nevisidm-batch-641ac4edf0c17383d3c0ea38.yaml
index cd1229e..13207e7 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/etc/nevis/k8s-nevisidm-batch-641ac4edf0c17383d3c0ea38.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/etc/nevis/k8s-nevisidm-batch-641ac4edf0c17383d3c0ea38.yaml
@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisIDM"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2405.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-559fc1c9e95f51132e6ad328d8310c6ce3073856"
+    tag: "r-a5b664b2c1f534aab19c8301f3618a8c5096d222"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/var/opt/nevisidm/default/conf/env.conf b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/var/opt/nevisidm/default/conf/env.conf
index 13dfb9b..6b6fd51 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/var/opt/nevisidm/default/conf/env.conf
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm-job/var/opt/nevisidm/default/conf/env.conf
@@ -4,5 +4,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisidm/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
 )
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-idm-db-ca0629d86201d4c4ac857d60.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-idm-db-ca0629d86201d4c4ac857d60.yaml
new file mode 100644
index 0000000..fac101e
--- /dev/null
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-idm-db-ca0629d86201d4c4ac857d60.yaml
@@ -0,0 +1,27 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "idm"
+  namespace: "adn-agov-nevisidm-admin-01-uat"
+  labels:
+    deploymentTarget: "idm"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-ADMIN-PROJECT"
+    patternId: "ca0629d86201d4c4ac857d60"
+spec:
+  type: "NevisIDM"
+  databaseType: "MariaDB"
+  version: "8.2405.2"
+  url: "mariadb-agov-uat.mariadb.database.azure.com"
+  port: 3306
+  ssl: true
+  database: "nevisidm_uat"
+  bootstrap: false
+  migrate: true
+  rootCredentials:
+    name: "root-adn-agov-nevisidm-admin-01-uat-idm"
+    namespace: "adn-agov-nevisidm-admin-01-uat"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-nevisidm-admin-ba7c7a3b091df0c4b8ba0bb2.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-nevisidm-admin-ba7c7a3b091df0c4b8ba0bb2.yaml
index 5de154c..f31de98 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-nevisidm-admin-ba7c7a3b091df0c4b8ba0bb2.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/etc/nevis/k8s-nevisidm-admin-ba7c7a3b091df0c4b8ba0bb2.yaml
@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisIDM"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2405.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -46,9 +46,12 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-23274ff50cbcc5dc1409914b80d55bad4f51e4a5"
+    tag: "r-a5b664b2c1f534aab19c8301f3618a8c5096d222"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm"
     credentials: "git-credentials"
+  database:
+    name: "idm"
+    requiredVersion: "8.2405.2"
   keystores:
   - "idm-default-identity"
   truststores:
@@ -60,5 +63,4 @@ spec:
   timeZone: "Europe/Zurich"
   secrets:
     secret:
-    - "a2068eb83a60702322c13949-27ed70d3"
     - "c418560f50e0332d087e85bf-89ec31e5"
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/env.conf b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/env.conf
index 13dfb9b..6b6fd51 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/env.conf
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/env.conf
@@ -4,5 +4,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisidm/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
 )
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/nevisidm-prod.properties b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/nevisidm-prod.properties
index d068640..bf922f0 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/nevisidm-prod.properties
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/idm/var/opt/nevisidm/default/conf/nevisidm-prod.properties
@@ -3,9 +3,9 @@ web.gui.languages.default=de
 # source: pattern://ca0629d86201d4c4ac857d60
 database.connection.url=jdbc:mariadb://mariadb-agov-uat.mariadb.database.azure.com:3306/nevisidm_uat?pinGlobalTxToPhysicalConnection=1&useMysqlMetadata=true&cachePrepStmts=true&prepStmtCacheSize=1000&useSSL=true&trustStore=/var/opt/keys/trust/idm-db-tls-truststore/truststore.jks
 # source: pattern://ca0629d86201d4c4ac857d60
-database.connection.username=adndbadmin
+database.connection.username=${exec:/var/opt/nevisidm/default/conf/credentials/dbUser}
 # source: pattern://ca0629d86201d4c4ac857d60
-database.connection.password=secret://a2068eb83a60702322c13949-27ed70d3
+database.connection.password=${exec:/var/opt/nevisidm/default/conf/credentials/dbPassword}
 # source: pattern://ba7c7a3b091df0c4b8ba0bb2
 application.mail.smtp.host=greenmail.adn-agov-mail-01-dev.svc
 # source: pattern://ba7c7a3b091df0c4b8ba0bb2
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml
index e99d1ce..3673610 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm/etc/nevis/k8s-nevisproxy-instance-idm-3bc06037962ad13be0a3a95d.yaml
@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisProxy"
   replicas: 1
-  version: "8.2405.0"
+  version: "8.2405.1"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-e55486a997fb8f6cdab5eac835e6374e73b3824f"
+    tag: "r-a5b664b2c1f534aab19c8301f3618a8c5096d222"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml
index d7fcf7c..d9d026f 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml
@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisProxy"
   replicas: 1
-  version: "8.2405.0"
+  version: "8.2405.1"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-e55486a997fb8f6cdab5eac835e6374e73b3824f"
+    tag: "r-a5b664b2c1f534aab19c8301f3618a8c5096d222"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp"
     credentials: "git-credentials"
   keystores: