nevis
/
adn-agov-iam-admin-inventory
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new configuration version

This commit is contained in:
haburger 2025-12-08 17:22:53 +00:00
parent 5a80b61c6f
commit 9669ab54de
5 changed files with 449 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget: podDisruptionBudget:
maxUnavailable: "50%" maxUnavailable: "50%"
git: git:
tag: "r-28d025621af8913de776f24a3d4921835e1af78e" tag: "r-52cf67aa5ec5c56333d2605f507c60bb29159968"
dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth" dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth"
credentials: "git-credentials" credentials: "git-credentials"
keystores: keystores:

19
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy Normal file
View File

@ -0,0 +1,19 @@
import ch.nevis.esauth.auth.engine.AuthResponse
import ch.nevis.esauth.util.httpclient.api.HttpClient
if (outargs['out.JWTToken']) {
// we have a token
def header = "Bearer ${outargs['out.JWTToken']}"
response.setNote('agov.test.token', header)
notes.setProperty('agov.test.token', header)
response.removeOutArg('out.JWTToken')
}
// if (!response.getNote('agov.test.token')) {
// response.setResult('newToken')
// return
//}
// show the GUI
response.setResult('display')

316
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
View File

@ -105,7 +105,7 @@
</SessionCoordinator> </SessionCoordinator>
<!-- source: pattern://ac27dd7daad0ca2b7229bfaf --> <!-- source: pattern://ac27dd7daad0ca2b7229bfaf -->
<LocalOutOfContextDataStore reaperPeriod="60"/> <LocalOutOfContextDataStore reaperPeriod="60"/>
<!-- source: pattern://2787b678d9cce5310a335419, pattern://fd3912c7af7a88b6342a4c78, pattern://12c979b6af0f15f1328656a4, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://6f9c9f982dcc7ef59a34f1f7, pattern://7518c6cc61e47eec6322ae17, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://ac27dd7daad0ca2b7229bfaf, pattern://ac27dd7daad0ca2b7229bfaf --> <!-- source: pattern://2787b678d9cce5310a335419, pattern://fd3912c7af7a88b6342a4c78, pattern://12c979b6af0f15f1328656a4, pattern://24cbc652d3166c8374eda3cd, pattern://56955e7b6b92c254d7d1aae1, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://6f9c9f982dcc7ef59a34f1f7, pattern://7518c6cc61e47eec6322ae17, pattern://ac27dd7daad0ca2b7229bfaf, pattern://6df66943ca713eed2a25d935, pattern://ac27dd7daad0ca2b7229bfaf, pattern://ac27dd7daad0ca2b7229bfaf -->
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false"> <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
<!-- source: pattern://3fd09bb6cfbd34874595c263 --> <!-- source: pattern://3fd09bb6cfbd34874595c263 -->
<Domain name="IDENT-AuthenticationRealm" default="false" inactiveInterval="60" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}"> <Domain name="IDENT-AuthenticationRealm" default="false" inactiveInterval="60" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
@ -131,11 +131,14 @@
</Domain> </Domain>
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Domain name="SAML_SP_nevisidm_operations_Realm" default="false" inactiveInterval="1800" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}"> <Domain name="SAML_SP_nevisidm_operations_Realm" default="false" inactiveInterval="1800" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
<Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/> <Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="logout" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/> <Entry method="authenticate" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/ACS/.*$:true}"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/> <Entry method="logout" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/ACS/.*$:true}"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/SAML2/stepup/.*$:true}"/>
<Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_NEVIS_SecToken" selector="${request:requiredRoles:^token.NEVIS_SecToken$:true}"/> <Entry method="stepup" state="SAML_SP_nevisidm_operations_Realm_NEVIS_SecToken" selector="${request:requiredRoles:^token.NEVIS_SecToken$:true}"/>
<Entry method="unlock" state="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/> <Entry method="unlock" state="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration"/>
</Domain> </Domain>
<AuthState name="IDENT-AuthenticationRealm_IDENT-Process-and-Dispatch" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true"> <AuthState name="IDENT-AuthenticationRealm_IDENT-Process-and-Dispatch" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://0f6977caedca600b17221f0a --> <!-- source: pattern://0f6977caedca600b17221f0a -->
@ -362,7 +365,7 @@
</AuthState> </AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Restore_Level" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false"> <AuthState name="SAML_SP_nevisidm_operations_Realm_Restore_Level" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/> <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_set_userExtId_Groovy_Script_Step"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Response value="AUTH_ERROR"> <Response value="AUTH_ERROR">
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
@ -378,21 +381,222 @@
<Gui name="ContinueResponse"/> <Gui name="ContinueResponse"/>
</Response> </Response>
</AuthState> </AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_set_userExtId_Groovy_Script_Step" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://488949a743edb1f46f73f232 -->
<ResultCond name="error" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://488949a743edb1f46f73f232 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step"/>
<!-- source: pattern://488949a743edb1f46f73f232 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://488949a743edb1f46f73f232 -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://488949a743edb1f46f73f232 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<Gui name="Error">
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<GuiElem name="info" type="error" label="error_99"/>
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<GuiElem name="submit" type="button" label="continue.button.label"/>
</Gui>
<!-- source: pattern://700ec185425d8645fea2caf5 -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="clientNotFound" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="failed" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="prospect" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_selectProfile"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Gui name="AuthFailDialog"/>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="user.loginid" value="unknown"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="userExtId" value="${sess:operationsExtId}"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="client.name" value="OPERATIONS"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.user" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.profile" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.role" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.authorization" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.dataroom" value="HIGH"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_selectProfile" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="error" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_IdmGetPropertiesState"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Gui name="op_idmlogin_select_profile">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}" optional="true"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<GuiElem name="submit" type="button" label="submit.button.label" value="go"/>
</Gui>
</Response>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/selectIdmProfile.groovy"/>
</AuthState>
<AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_fetch_User_Authentication_Step_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="clientNotFound" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<ResultCond name="showGui" next="SAML_SP_nevisidm_operations_Realm_Authentication_Failed"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<Response value="AUTH_ERROR"/>
<propertyRef name="nevisIDM_Connector"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="user.attributes" value="loginId,extId,firstName,name,email,language"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="chooseProfileFromSession" value="operationsProfileExtId"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="userExtId" value="${sess:operationsExtId}"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="client.name" value="OPERATIONS"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.user" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.profile" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.role" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.authorization" value="HIGH"/>
<!-- source: pattern://56955e7b6b92c254d7d1aae1 -->
<property name="detaillevel.dataroom" value="HIGH"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_Update"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="emailaddressDidntChange,givennameDidntChange,surnameDidntChange,languageDidntChange" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_ERROR"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:emailaddressDidntChange" value="#{ !sess.containsKey('idp.email') or sess.get('idp.email').equals(sess.get('ch.nevis.idm.User.email')) }"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:givennameDidntChange" value="#{ !sess.containsKey('idp.firstName') or sess.get('idp.firstName').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:surnameDidntChange" value="#{ !sess.containsKey('idp.lastName') or sess.get('idp.lastName').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="condition:languageDidntChange" value="#{ !sess.containsKey('idp.language') or sess.get('idp.language').equals(sess.get('ch.nevis.idm.User.language')) }"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_Update" class="ch.nevis.idm.authstate.IdmSetPropertiesState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="emailExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="inputInvalid" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="inputMissing" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="loginIdExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditUpdate"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="userIdExists" next="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_ERROR">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<propertyRef name="nevisIDM_Connector"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="client.name" value="${sess:ch.adnovum.nevisidm.clientName}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attributes.optional" value="email,firstName,name,language"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attributes.mandatory" value="remarks"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.email" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.firstName" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.name" value="${notes|saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.language" value="${notes|saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance}"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attribute.remarks" value="Updated based on assertion '${sess:ch.nevis.auth.saml.assertion.id}' (Request-ID: ${inctx:connection.HttpHeader.X-Request-ID})"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="user.attributes.overwrite" value="email,firstName,name,language,remarks"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="allowInvalidUserEmails" value="true"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false"> <AuthState name="SAML_SP_nevisidm_operations_Realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Auth_Done"/> <ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Redirect_RelayState"/>
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<Response value="AUTH_DONE"> <Response value="AUTH_DONE">
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<Gui name="ContinueResponse"/> <Gui name="ContinueResponse"/>
</Response> </Response>
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
</AuthState> </AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false"> <AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditError" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_ERROR">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="script" value=" def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'; def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'; def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'; LOG.error(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', error='failed to update user in IDM', lasterrorinfo='${lasterrorinfo}'&quot;); response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_ERROR); "/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_UpdateUserIfNeeded_AuditUpdate" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Prepare_Done"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<Response value="AUTH_CONTINUE"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
<!-- source: pattern://24cbc652d3166c8374eda3cd -->
<property name="script" value=" def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'; def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'; def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'; LOG.info(&quot;Event='USERUPDATE', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'&quot;); "/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Redirect_RelayState" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<ResultCond name="default" next="SAML_SP_nevisidm_operations_Realm_Auth_Done"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Response value="AUTH_DONE"> <Response value="AUTH_DONE">
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Gui name="ContinueResponse"/>
</Response>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/redirect_relay_state.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<Response value="AUTH_DONE">
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://271d024334021208b71ac80a -->
<Gui name="ContinueResponse"/> <Gui name="ContinueResponse"/>
</Response> </Response>
</AuthState> </AuthState>
@ -598,12 +802,6 @@
<!-- source: pattern://2787b678d9cce5310a335419 --> <!-- source: pattern://2787b678d9cce5310a335419 -->
<property name="user.cred.saml_federation3.subjectNameId" value="true"/> <property name="user.cred.saml_federation3.subjectNameId" value="true"/>
</AuthState> </AuthState>
<AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
<!-- source: pattern://12c979b6af0f15f1328656a4 -->
<property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
</AuthState>
<AuthState name="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential" class="ch.nevis.idm.authstate.IdmCreateCredentialState" final="false" resumeState="false"> <AuthState name="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential" class="ch.nevis.idm.authstate.IdmCreateCredentialState" final="false" resumeState="false">
<!-- source: pattern://fd3912c7af7a88b6342a4c78 --> <!-- source: pattern://fd3912c7af7a88b6342a4c78 -->
<ResultCond name="credentialExists" next="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential_Failed"/> <ResultCond name="credentialExists" next="OP-ONBRDNG-AuthenticationRealm_OP-ONBRDNG-PostProcessing_SamlFedCredential_Failed"/>
@ -1084,6 +1282,74 @@
<!-- source: pattern://271d024334021208b71ac80a --> <!-- source: pattern://271d024334021208b71ac80a -->
<property name="generateNow" value="true"/> <property name="generateNow" value="true"/>
</AuthState> </AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_CheckIsTokenGeneration" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://65330385b309bfe32943c8ad -->
<ResultCond name="generateToken" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration"/>
<!-- source: pattern://65330385b309bfe32943c8ad -->
<ResultCond name="nomatch" next="SAML_SP_nevisidm_operations_Realm_PreProcess_Done"/>
<!-- source: pattern://65330385b309bfe32943c8ad -->
<Response value="AUTH_ERROR">
<!-- source: pattern://65330385b309bfe32943c8ad -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://65330385b309bfe32943c8ad -->
<property name="condition:generateToken" value="${request:requiredRoles:generateToken}"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration" class="ch.nevis.esauth.auth.states.jwt.JWTToken" final="false" resumeState="true">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_Prepare"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<Response value="AUTH_ERROR"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.audience" value="https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.issuer" value="https://op.agov-w.azure.adnovum.net/SAML2/ACS/"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="token.header.includeType" value="true"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="token.algorithm" value="RS512"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="keystoreref" value="DefaultKeyStore"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="keyobjectref" value="DefaultSigner"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.subject" value="${request:userId}"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.include.jwtId" value="true"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="out.time_to_live" value="14400"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_PreProcess_Done" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="authenticate" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="logout" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="stepup" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="unlock" next="SAML_SP_nevisidm_operations_Realm_Extract_Issuer"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
</Response>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:authenticate" value="${request:method:^authenticate$:true}"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:stepup" value="${request:method:^stepup$:true}"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:unlock" value="${request:method:^unlock$:true}"/>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="condition:logout" value="${request:method:^logout$:true}"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_Prepare" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<ResultCond name="display" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_DisplayMe"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<ResultCond name="newToken" next="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration"/>
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/EncodeAndDisplayToken.groovy"/>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false"> <AuthState name="SAML_SP_nevisidm_operations_Realm_Extract_Issuer" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_IDP_Selection"/> <ResultCond name="ok" next="SAML_SP_nevisidm_operations_Realm_IDP_Selection"/>
@ -1095,6 +1361,16 @@
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/saml_sp_nevisidm_operations_realm_extract_issuer.groovy"/>
</AuthState> </AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_DoTokenGeneration_DisplayMe" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<Gui name="TestTokenDisplayDialog" label="test.token.title">
<!-- source: pattern://541e5c4aaf4cf98ed6b574dc -->
<GuiElem name="info" type="text" label="test.token.label" value="#{ notes.getProperty('agov.test.token', 'missing') }" optional="true"/>
</Gui>
</Response>
</AuthState>
<AuthState name="SAML_SP_nevisidm_operations_Realm_IDP_Selection" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false"> <AuthState name="SAML_SP_nevisidm_operations_Realm_IDP_Selection" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<ResultCond name="authenticate:https\u003A//trustbroker.agov-d.azure.adnovum.net_continuation" next="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/> <ResultCond name="authenticate:https\u003A//trustbroker.agov-d.azure.adnovum.net_continuation" next="SAML_SP_nevisidm_operations_Realm_SAML_IDP_op_Connector_Connector"/>

74
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy Normal file
View File

@ -0,0 +1,74 @@
import groovy.xml.XmlSlurper
def idmSeverityRoleMap = [
"EnterpriseRoleAdmin": [11, "op-idmlogin.role.accs-mgmt-idm"],
"ClientRoot": [12, "op-idmlogin.role.support-priv"],
"AppAdmin": [20, "op-idmlogin.role.idmcfg-mgmt"],
"AppOwner": [5, "op-idmlogin.role.accs-mgmt-nonidm"],
"UserAndUnitAdmin": [7, "op-idmlogin.role.usr-unit-mgmt"],
"UserAdmin": [6, "op-idmlogin.role.usr-mgmt"],
"TemplateAdmin": [10, "op-idmlogin.role.support-basic"],
"Helpdesk": [1, "op-idmlogin.role.readonly-access" ]
]
try {
def dtoString = session['ch.adnovum.nevisidm.userDto']
def idmDto = new XmlSlurper().parseText(dtoString)
def idmPrfMap = idmDto.'**'.findAll
{ prf -> prf.name() == 'profiles'
&& prf.'**'.find
{ role -> role.name() == 'roles'
&& role.applicationName.text() == 'nevisIdm'
}
}.collectEntries { prf -> [ prf.extId.text(),
prf.'**'.findAll
{ role -> role.name() == 'roles'
&& role.applicationName.text() == 'nevisIdm'
}.collect{ rolePrioEntry -> idmSeverityRoleMap[rolePrioEntry.name.text()] ?: [1000, "DO-NOT-USE(${rolePrioEntry.name.text()})"]
}.sort { a, b -> a[0] <=> b[0] // sort by severity
}.last()[1] // take label of the ighest one
] }
if ((inargs.getProperty('submit', '') == 'go') && idmPrfMap.containsKey(inargs.getProperty('profile_selection', 'missing'))) {
// user selected a profile which exists, we take it
def operationsProfileExtId = inargs.getProperty('profile_selection', 'missing')
LOG.info("User selected profile: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
response.setResult('ok')
return
} else if (idmPrfMap.size() == 1) {
// we take the only profile, with an IDM role
def operationsProfileExtId = idmPrfMap.keySet().first()
LOG.info("taking the only profile with an idm role: ${operationsProfileExtId} '${idmPrfMap.get(operationsProfileExtId)}'")
response.setSessionAttribute('operationsProfileExtId', '' + operationsProfileExtId)
response.setResult('ok')
return
} else if (idmPrfMap.isEmpty()) {
// no profile with an IDM role, do nothing
response.setResult('ok')
return
} else {
// user should select a profile
response.setGuiName('op_idmlogin_select_profile')
idmPrfMap.each {
response.addRadioGuiField('profile_selection', it.value, it.key)
}
response.addButtonGuiField('submit', 'general.continue', 'go')
response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE)
return
}
} catch (Exception e) {
def errorMsg = "Failed to process profile selection: ${e.getMessage()}"
LOG.error(errorMsg, e)
response.setError(9901, errorMsg)
response.setResult('error')
}

59
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy Normal file
View File

@ -0,0 +1,59 @@
try {
def s = request.getAuthSession(true)
LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
// set operation's account extId and profile extid
if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
response.setResult('error');
return
}
response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
// extract additional attributes from assertion in session
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
}
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
}
if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
}
if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
}
// we take the first one, if there is no profile in the operations unit
def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
.split(',').find{pairstr -> pairstr.split("\\\\")[1] == "130274ee-7e24-4050-9b94-d5717ef52ade" }
?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
if (! unitAndProfileExtidPar.contains('130274ee-7e24-4050-9b94-d5717ef52ade') )
{
LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
}
response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
// ad role based on agov aq level
def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
]
if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
}
response.setResult('ok');
} catch(Exception ex) {
LOG.warn("Exception in selectProfile groovy script: " + ex)
response.setResult('error');
}