nevis
/
adn-agov-iam-admin-inventory
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new configuration version

This commit is contained in:
haburger 2024-10-31 16:11:05 +00:00
parent e563ca2f0f
commit d5aefc344b
5 changed files with 3 additions and 313 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/etc/nevis/k8s-operations-nevisproxy-instance-bd83dfbd467e8211ffe71d28.yaml
View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
tag: "r-3341a3df2b54ab6368125d7df7c223019a1fb969"
tag: "r-f7d5f97ee0feefcae245dd0d18143b4d911b6bd8"
dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp"
credentials: "git-credentials"
keystores:

73
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csrf_default.lua
View File

@ -1,73 +0,0 @@
function contains(tab, val)
for index, value in ipairs(tab) do
if value == val then
return true
end
end
return false
end
function inputHeader(request, response)
if (request:getMethod() == "GET" or request:getMethod() == "HEAD" or request:getMethod() == "OPTIONS" or request:getMethod() == "TRACE") then
-- these requests are not sensitive (do not manipulate state) and are thus not checked
return
end
-- patterns sets allowed domains or {}
domains = {}
host = request:getHeader("Host")
if (host == nil) then
-- Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field.
request:getTracer():notice("VA05", "Missing Host header")
response:setHeader("Content-Type", "text/plain")
response:setBody("400 Bad Request")
response:send(400)
return
end
-- extract host name
host = host:match('([^:]+)')
referer = request:getHeader("Referer")
if (referer ~= nil) then
referer = referer:match('^%w+://([^/:]+)')
if (referer ~= host and not contains(domains, referer)) then
if (referer ~= nil) then
request:getTracer():notice("VA01", "HTTP Referer header " .. referer .. " does not match host " .. host)
else
request:getTracer():notice("VA01", "HTTP Referer header " .. request:getHeader("Referer") .. " does not match pattern '^[a-zA-Z0-9]+://([^/:]+)'")
end
response:setHeader("Content-Type", "text/plain")
response:setBody("403 Denied")
response:send(403)
return
end
end
origin = request:getHeader("Origin")
if (origin ~= nil) then
origin = origin:match('^%w+://([^/:]+)')
if (origin ~= host and not contains(domains, origin)) then
if (origin ~= nil) then
request:getTracer():notice("VA01", "HTTP Origin header " .. origin .. " does not match host " .. host)
else
request:getTracer():notice("VA01", "HTTP Origin header " .. request:getHeader("Origin") .. " does not match pattern '^[a-zA-Z0-9]+://([^/:]+)'")
end
response:setHeader("Content-Type", "text/plain")
response:setBody("403 Denied")
response:send(403)
return
end
end
if (origin == nil and referer == nil) then
request:getTracer():info("VA05", "Referer or Origin header is required for sensitive requests")
response:setHeader("Content-Type", "text/plain")
response:setBody("403 Denied")
response:send(403)
return
end
end

18
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/security_web_application_canarypage_backend.conf
View File

@ -1,18 +0,0 @@
# load modsecurity
Include /var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/modsecurity.conf
# apply whitelist modifications - must be done before loading other rules (replaces REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf)
# apply application-specific paranoia level
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=1"
# load the rule set of the virtual host
Include /var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/rules.conf
# apply rule exceptions (replaces RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf)
# set mode
SecRuleEngine On

18
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/security_web_application_canarypage_frontend.conf
View File

@ -1,18 +0,0 @@
# load modsecurity
Include /var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/modsecurity.conf
# apply whitelist modifications - must be done before loading other rules (replaces REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf)
# apply application-specific paranoia level
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=1"
# load the rule set of the virtual host
Include /var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/rules.conf
# apply rule exceptions (replaces RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf)
# set mode
SecRuleEngine On

205
DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/web.xml
View File

@ -66,7 +66,7 @@
<param-value>false</param-value>
</init-param>
</filter>
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://bd83dfbd467e8211ffe71d28 -->
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter>
<filter-name>Authentication_SAML_SP_nevisidm_operations_Realm</filter-name>
<filter-class>ch::nevis::isiweb4::filter::auth::IdentityCreationFilter</filter-class>
@ -116,36 +116,6 @@
<param-value>false</param-value>
</init-param>
</filter>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<filter>
<filter-name>Authorization_Forbidden_Roles_nevisIdm.Root_SAML_SP_nevisidm_operations_Realm</filter-name>
<filter-class>ch::nevis::isiweb4::filter::auth::SecurityRoleFilter</filter-class>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<init-param>
<param-name>DynamicRoleAcquire</param-name>
<param-value>false</param-value>
</init-param>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<init-param>
<param-name>RolesForbidden</param-name>
<param-value>nevisIdm.Root</param-value>
</init-param>
</filter>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<filter>
<filter-name>Authorization_Required_Roles_nevisIdm.Helpdesk_nevisIdm.TemplateAdmin_nevisIdm.UserAndUnitAdmin_nevisIdm.AppAdmin_nevisIdm.UserAdmin_nevisIdm.AppOwner_nevisIdm.EnterpriseRoleAdmin_nevisIdm.ClientRoot_SAML_SP_nevisidm_operations_Realm</filter-name>
<filter-class>ch::nevis::isiweb4::filter::auth::SecurityRoleFilter</filter-class>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<init-param>
<param-name>DynamicRoleAcquire</param-name>
<param-value>false</param-value>
</init-param>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<init-param>
<param-name>RolesRequired</param-name>
<param-value>nevisIdm.Helpdesk nevisIdm.TemplateAdmin nevisIdm.UserAndUnitAdmin nevisIdm.AppAdmin nevisIdm.UserAdmin nevisIdm.AppOwner nevisIdm.EnterpriseRoleAdmin nevisIdm.ClientRoot</param-value>
</init-param>
</filter>
<!-- source: pattern://13ea034de32c190083ba9e35, pattern://13ea034de32c190083ba9e35#nevisIDM -->
<filter>
<filter-name>CSRFRewrite_nevisIDM_Operations_Administration_GUI</filter-name>
@ -161,21 +131,6 @@
<param-value>replacement</param-value>
</init-param>
</filter>
<!-- source: pattern://21d48876e12f7599c87ebd64, pattern://2a09bff81af3e18af3e13d3f, pattern://bd83dfbd467e8211ffe71d28 -->
<filter>
<filter-name>CSRF_Default</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<init-param>
<param-name>Script.InputHeaderFunctionName</param-name>
<param-value>inputHeader</param-value>
</init-param>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<init-param>
<param-name>Script.Path</param-name>
<param-value>/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csrf_default.lua</param-value>
</init-param>
</filter>
<!-- source: pattern://58ece0328f5bf4d78e1a82d2, pattern://58ece0328f5bf4d78e1a82d2#filters -->
<filter>
<filter-name>DefaultErrorFilter</filter-name>
@ -225,26 +180,6 @@
<param-value>/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/security_op-onbrdng-modsecuritysettings.conf</param-value>
</init-param>
</filter>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<filter>
<filter-name>ModSecurity_Web_Application_canaryPage_backend</filter-name>
<filter-class>ch::nevis::nevisproxy::filter::modsecurity::ModsecurityFilter</filter-class>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<init-param>
<param-name>ConfigFile</param-name>
<param-value>/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/security_web_application_canarypage_backend.conf</param-value>
</init-param>
</filter>
<!-- source: pattern://2a09bff81af3e18af3e13d3f, pattern://bd83dfbd467e8211ffe71d28 -->
<filter>
<filter-name>ModSecurity_Web_Application_canaryPage_frontend</filter-name>
<filter-class>ch::nevis::nevisproxy::filter::modsecurity::ModsecurityFilter</filter-class>
<!-- source: pattern://2a09bff81af3e18af3e13d3f -->
<init-param>
<param-name>ConfigFile</param-name>
<param-value>/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/security_web_application_canarypage_frontend.conf</param-value>
</init-param>
</filter>
<!-- source: pattern://13ea034de32c190083ba9e35 -->
<filter>
<filter-name>ModSecurity_nevisIDM_Operations_Administration_GUI</filter-name>
@ -471,7 +406,7 @@
<param-value>120</param-value>
</init-param>
</filter>
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://bd83dfbd467e8211ffe71d28 -->
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter>
<filter-name>SessionHandler_SAML_SP_nevisidm_operations_Realm</filter-name>
<filter-class>ch::nevis::nevisproxy::filter::session::SessionManagementFilter</filter-class>
@ -593,17 +528,6 @@
<url-pattern>/nevisidm/*</url-pattern>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter-mapping>
<filter-name>SessionHandler_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/canary/api/*</url-pattern>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://bd83dfbd467e8211ffe71d28 -->
<filter-mapping>
<filter-name>SessionHandler_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/canary/*</url-pattern>
<exclude-url-regex>^/canary/api/.*$</exclude-url-regex>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter-mapping>
<filter-name>SAML_AllowCORS_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/SAML2/ACS/*</url-pattern>
@ -628,28 +552,6 @@
<filter-name>ModSecurity_OP-ONBRDNG-ModSecuritySettings</filter-name>
<url-pattern>/AUTH/ONBOARDING/*</url-pattern>
</filter-mapping>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<filter-mapping>
<filter-name>ModSecurity_Web_Application_canaryPage_backend</filter-name>
<url-pattern>/canary/api/*</url-pattern>
</filter-mapping>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<filter-mapping>
<filter-name>CSRF_Default</filter-name>
<url-pattern>/canary/api/*</url-pattern>
</filter-mapping>
<!-- source: pattern://2a09bff81af3e18af3e13d3f, pattern://bd83dfbd467e8211ffe71d28 -->
<filter-mapping>
<filter-name>CSRF_Default</filter-name>
<url-pattern>/canary/*</url-pattern>
<exclude-url-regex>^/canary/api/.*$</exclude-url-regex>
</filter-mapping>
<!-- source: pattern://2a09bff81af3e18af3e13d3f, pattern://bd83dfbd467e8211ffe71d28 -->
<filter-mapping>
<filter-name>ModSecurity_Web_Application_canaryPage_frontend</filter-name>
<url-pattern>/canary/*</url-pattern>
<exclude-url-regex>^/canary/api/.*$</exclude-url-regex>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter-mapping>
<filter-name>Authentication_SAML_SP_nevisidm_operations_Realm</filter-name>
@ -661,17 +563,6 @@
<url-pattern>/nevisidm/*</url-pattern>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter-mapping>
<filter-name>Authentication_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/canary/api/*</url-pattern>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17, pattern://bd83dfbd467e8211ffe71d28 -->
<filter-mapping>
<filter-name>Authentication_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/canary/*</url-pattern>
<exclude-url-regex>^/canary/api/.*$</exclude-url-regex>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter-mapping>
<filter-name>SAML_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/SAML2/ACS/*</url-pattern>
@ -691,16 +582,6 @@
<filter-name>Requirement_NEVIS_SecToken_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/nevisidm/*</url-pattern>
</filter-mapping>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<filter-mapping>
<filter-name>Authorization_Required_Roles_nevisIdm.Helpdesk_nevisIdm.TemplateAdmin_nevisIdm.UserAndUnitAdmin_nevisIdm.AppAdmin_nevisIdm.UserAdmin_nevisIdm.AppOwner_nevisIdm.EnterpriseRoleAdmin_nevisIdm.ClientRoot_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/nevisidm/*</url-pattern>
</filter-mapping>
<!-- source: pattern://3ccfece140b4bb464b3b7f51 -->
<filter-mapping>
<filter-name>Authorization_Forbidden_Roles_nevisIdm.Root_SAML_SP_nevisidm_operations_Realm</filter-name>
<url-pattern>/nevisidm/*</url-pattern>
</filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 -->
<filter-mapping>
<filter-name>Token_NEVIS_SecToken</filter-name>
@ -858,78 +739,6 @@
<param-value>/var/opt/keys/own/proxy-sp-saml-sp-nevisidm-operations-realm-identity/key.pem</param-value>
</init-param>
</servlet>
<!-- source: pattern://21d48876e12f7599c87ebd64, pattern://21d48876e12f7599c87ebd64#allowedMethods, pattern://21d48876e12f7599c87ebd64#backends, pattern://21d48876e12f7599c87ebd64#responseRewrite -->
<servlet>
<servlet-name>Connector_Web_Application_canaryPage_backend</servlet-name>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<servlet-class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>
<!-- source: pattern://21d48876e12f7599c87ebd64#allowedMethods -->
<init-param>
<param-name>AllowedMethods</param-name>
<param-value>ALL-HTTP,ALL-WEBDAV,-TRACE,-CONNECT</param-value>
</init-param>
<!-- source: pattern://21d48876e12f7599c87ebd64#responseRewrite -->
<init-param>
<param-name>AutoRewrite</param-name>
<param-value>header</param-value>
</init-param>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<init-param>
<param-name>CookieManager</param-name>
<param-value>retain:^.*$</param-value>
</init-param>
<!-- source: pattern://21d48876e12f7599c87ebd64 -->
<init-param>
<param-name>DNSCache.ttl</param-name>
<param-value>60</param-value>
</init-param>
<!-- source: pattern://21d48876e12f7599c87ebd64#backends -->
<init-param>
<param-name>InetAddress</param-name>
<param-value>canary-application-be.adn-agov-canary-01-dev:8081</param-value>
</init-param>
<!-- source: pattern://21d48876e12f7599c87ebd64#backends -->
<init-param>
<param-name>UseSSL</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
<!-- source: pattern://2a09bff81af3e18af3e13d3f, pattern://2a09bff81af3e18af3e13d3f#allowedMethods, pattern://2a09bff81af3e18af3e13d3f#backends, pattern://2a09bff81af3e18af3e13d3f#responseRewrite -->
<servlet>
<servlet-name>Connector_Web_Application_canaryPage_frontend</servlet-name>
<!-- source: pattern://2a09bff81af3e18af3e13d3f -->
<servlet-class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>
<!-- source: pattern://2a09bff81af3e18af3e13d3f#allowedMethods -->
<init-param>
<param-name>AllowedMethods</param-name>
<param-value>ALL-HTTP,ALL-WEBDAV,-TRACE,-CONNECT</param-value>
</init-param>
<!-- source: pattern://2a09bff81af3e18af3e13d3f#responseRewrite -->
<init-param>
<param-name>AutoRewrite</param-name>
<param-value>header</param-value>
</init-param>
<!-- source: pattern://2a09bff81af3e18af3e13d3f -->
<init-param>
<param-name>CookieManager</param-name>
<param-value>retain:^.*$</param-value>
</init-param>
<!-- source: pattern://2a09bff81af3e18af3e13d3f -->
<init-param>
<param-name>DNSCache.ttl</param-name>
<param-value>60</param-value>
</init-param>
<!-- source: pattern://2a09bff81af3e18af3e13d3f#backends -->
<init-param>
<param-name>InetAddress</param-name>
<param-value>canary-application-fe.adn-agov-canary-01-dev:8080</param-value>
</init-param>
<!-- source: pattern://2a09bff81af3e18af3e13d3f#backends -->
<init-param>
<param-name>UseSSL</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
<!-- source: pattern://13ea034de32c190083ba9e35, pattern://13ea034de32c190083ba9e35#allowedMethods, pattern://13ea034de32c190083ba9e35#nevisIDM -->
<servlet>
<servlet-name>Connector_nevisIDM_Operations_Administration_GUI</servlet-name>
@ -1050,16 +859,6 @@
<servlet-name>Hosting_Default</servlet-name>
<url-pattern>/SAML2/stepup/*</url-pattern>
</servlet-mapping>
<!-- source: pattern://2a09bff81af3e18af3e13d3f, pattern://2a09bff81af3e18af3e13d3f#path -->
<servlet-mapping>
<servlet-name>Connector_Web_Application_canaryPage_frontend</servlet-name>
<url-pattern>/canary/*</url-pattern>
</servlet-mapping>
<!-- source: pattern://21d48876e12f7599c87ebd64, pattern://21d48876e12f7599c87ebd64#path -->
<servlet-mapping>
<servlet-name>Connector_Web_Application_canaryPage_backend</servlet-name>
<url-pattern>/canary/api/*</url-pattern>
</servlet-mapping>
<!-- source: pattern://f010ec68088ebd56349c7135, pattern://f010ec68088ebd56349c7135#path -->
<servlet-mapping>
<servlet-name>Connector_GreenMail</servlet-name>