adn-agov-iam-admin-project/patterns/488949a743edb1f46f73f232_sc.../setUserExtIdFromAssertion.g...

try {
  def s = request.getAuthSession(true)

  LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
  LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")

  // set operation's account extId and profile extid
  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
    LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
    response.setResult('error');
    return
  }

  response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])

  // extract additional attributes from assertion in session
  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
    response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
  }
  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
    response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
  }
  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
    response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
  }
  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
    response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
  }

  // we take the first one, if there is no profile in the operations unit
  def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
    .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "${var.operations-unitExtId}" } 
    ?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]

  if (! unitAndProfileExtidPar.contains('${var.operations-unitExtId}') )
  {
    LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
  }
  response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])

  // ad role based on agov aq level
  def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
    'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
    'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
    'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
    'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
  ]

  if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
    response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
  }


  response.setResult('ok');  

} catch(Exception ex) {
   LOG.warn("Exception in selectProfile groovy script: " + ex)
   response.setResult('error');
}
85 files added and 1 file updated 2024-10-21 08:11:34 +00:00			`try {`
			`def s = request.getAuthSession(true)`

2 files added and 12 files updated 2024-11-22 07:41:13 +00:00			`LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")`
			`LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")`
85 files added and 1 file updated 2024-10-21 08:11:34 +00:00
2 files added and 12 files updated 2024-11-22 07:41:13 +00:00			`// set operation's account extId and profile extid`
85 files added and 1 file updated 2024-10-21 08:11:34 +00:00			`if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null \|\| notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {`
			`LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")`
			`response.setResult('error');`
			`return`
			`}`

			`response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])`

2 files added and 12 files updated 2024-11-22 07:41:13 +00:00			`// extract additional attributes from assertion in session`
			`if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {`
			`response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])`
			`}`
			`if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {`
			`response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])`
			`}`
			`if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {`
			`response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])`
			`}`
			`if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {`
			`response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])`
			`}`

4 files added and 12 files updated 2024-10-30 16:44:03 +00:00			`// we take the first one, if there is no profile in the operations unit`
			`def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']`
			`.split(',').find{pairstr -> pairstr.split("\\\\")[1] == "${var.operations-unitExtId}" }`
			`?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]`
85 files added and 1 file updated 2024-10-21 08:11:34 +00:00
4 files added and 12 files updated 2024-10-30 16:44:03 +00:00			`if (! unitAndProfileExtidPar.contains('${var.operations-unitExtId}') )`
			`{`
			`LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")`
85 files added and 1 file updated 2024-10-21 08:11:34 +00:00			`}`
4 files added and 12 files updated 2024-10-30 16:44:03 +00:00			`response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])`
2 files added and 12 files updated 2024-11-22 07:41:13 +00:00
			`// ad role based on agov aq level`
			`def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',`
			`'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',`
			`'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',`
			`'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',`
			`'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'`
			`]`

			`if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {`
			`response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])`
			`}`


85 files added and 1 file updated 2024-10-21 08:11:34 +00:00			`response.setResult('ok');`

			`} catch(Exception ex) {`
			`LOG.warn("Exception in selectProfile groovy script: " + ex)`
			`response.setResult('error');`
			`}`