From be8368b0a32c54a08a0ab0e5e10b53999059457a Mon Sep 17 00:00:00 2001
From: haburger <haburger>
Date: Wed, 30 Oct 2024 15:20:36 +0000
Subject: [PATCH] new configuration version

---
 ...8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml |  2 +-
 .../default/conf/selectIdmProfile.groovy      |  2 +-
 .../set_userextid_groovy_script_step.groovy   | 21 +++++++------------
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
index 63adce1..2f458ad 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/etc/nevis/k8s-nevisauth-ac27dd7daad0ca2b7229bfaf.yaml
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-51ca9db578a2820945a06c2b1f6661c4ee51d76a"
+    tag: "r-64e7c8657e319dd2784c3d579040cfd79cd13611"
     dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy
index 4951a61..bc73e57 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/selectIdmProfile.groovy
@@ -25,7 +25,7 @@ try {
             prf.'**'.findAll 
             { role -> role.name() == 'roles' 
               && role.applicationName.text() == 'nevisIdm'
-            }.collect{ rolePrioEntry -> idmSeverityRoleMap[rolePrioEntry.name.text()] ?: [1000, "DO-NOT-USE(${rolePrioEntry.name.text()})"] 
+            }.collect{ rolePrioEntry -> idmSeverityRoleMap[rolePrioEntry.name.text()].?concat("(${prf.name.text()})") ?: [1000, "DO-NOT-USE(${rolePrioEntry.name.text()}, ${prf.name.text()})"] 
             }.sort { a, b -> a[0] <=> b[0] // sort by severity
             }.last()[1] // take label of the ighest one
     ] }
diff --git a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy
index dd542e1..5ce6f26 100644
--- a/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy
+++ b/DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/auth/var/opt/nevisauth/default/conf/set_userextid_groovy_script_step.groovy
@@ -13,22 +13,17 @@ try {
 
   response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])
 
-  if (! notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].contains('130274ee-7e24-4050-9b94-d5717ef52ade') )
+  // we take the first one, if there is no profile in the operations unit
+  def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
+    .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "130274ee-7e24-4050-9b94-d5717ef52ade" } 
+    ?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
+
+  if (! unitAndProfileExtidPar.contains('130274ee-7e24-4050-9b94-d5717ef52ade') )
   {
-    LOG.warn("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has not operations profile")
-    response.setResult('error');
-    return
-  }
-
-
-  notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',').eachWithIndex { pairstr, i ->
-    pair = pairstr.split("\\\\")
-    if (pair[1] == "130274ee-7e24-4050-9b94-d5717ef52ade") {
-        response.setSessionAttribute('operationsProfileExtId', pair[0])
-        LOG.warn(pair[0] + " userprofileExtid has the wanted unitExtId " + pair[1])
-    }
+    LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
   }
 
+  response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
   response.setResult('ok');  
 
 } catch(Exception ex) {