4 files added and 12 files updated

2024-10-30 16:44:03 +00:00 · 2024-10-30 16:44:03 +00:00 · 3f1f07b632
parent 4da8b84d63
commit 3f1f07b632
21 changed files with 108 additions and 31 deletions
--- a/bundles.yml
+++ b/bundles.yml
@ -1,12 +1,12 @@
 schemaVersion: "1.0"
 bundles:
- "nevisadmin-plugin-oauth:8.2405.2.0"
- "nevisadmin-plugin-authcloud:8.2405.2.0"
- "nevisadmin-plugin-nevisidm:8.2405.2.0"
- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
- "nevisadmin-plugin-fido2:8.2405.2.0"
- "nevisadmin-plugin-nevisdp:8.2405.2.0"
- "nevisadmin-plugin-nevisauth:8.2405.2.0"
- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
 - "nevisadmin-plugin-base-generation:8.2405.2.0"
+- "nevisadmin-plugin-oauth:8.2405.2.0"
+- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
+- "nevisadmin-plugin-nevisauth:8.2405.2.0"
+- "nevisadmin-plugin-nevisdp:8.2405.2.0"
+- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
+- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
+- "nevisadmin-plugin-nevisidm:8.2405.2.0"
+- "nevisadmin-plugin-fido2:8.2405.2.0"
+- "nevisadmin-plugin-authcloud:8.2405.2.0"
--- a/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip
+++ b/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip
--- a/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip
+++ b/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip
--- a/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
+++ b/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
@ -13,22 +13,17 @@ try {

  response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])

-  if (! notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].contains('${var.operations-unitExtId}') )
+  // we take the first one, if there is no profile in the operations unit
+  def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
+    .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "${var.operations-unitExtId}" } 
+    ?: notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',')[0]
+
+  if (! unitAndProfileExtidPar.contains('${var.operations-unitExtId}') )
  {
-    LOG.warn("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has not operations profile")
-    response.setResult('error');
-    return
-  }
-
-
-  notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'].split(',').eachWithIndex { pairstr, i ->
-    pair = pairstr.split("\\\\")
-    if (pair[1] == "${var.operations-unitExtId}") {
-        response.setSessionAttribute('operationsProfileExtId', pair[0])
-        LOG.warn(pair[0] + " userprofileExtid has the wanted unitExtId " + pair[1])
-    }
+    LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
  }

+  response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
  response.setResult('ok');  

 } catch(Exception ex) {
--- a/patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties
+++ b/patterns/50d6c91ace65f52fa56d7113_rolePermissionsFile/agov-rolesMapping.properties
@ -1,8 +1,8 @@
 # -- base admin roles (AGOV specific role definition)
 # ------------------------------------------------------

-## user administrator (reduced rightd; CLIENT, UNIT)
-nevisIdm.UserAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
+## user administrator (reduced rightd; CLIENT, UNIT and only URL ticket creation allowed)
+nevisIdm.UserAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState.14,CredentialCreate.14,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView

 ## user and unit administrator (same as above + unit mgmt; CLIENT, UNIT)
 nevisIdm.UserAndUnitAdmin=ApplicationView,AuthorizationSearch,AuthorizationApplView,AuthorizationClientView,AuthorizationUnitView,AuthorizationView,ClientSearch,ClientView,CredentialChangeState,CredentialCreate,CredentialSearch,CredentialView,EntityAttributeAccessOverride,ProfileCreate,ProfileModify,ProfileSearch,ProfileView,PropertyAllowedValueSearch,PropertyAllowedValueView,PropertySearch,PropertyValueCreate,PropertyValueDelete,PropertyValueModify,PropertyValueSearch,PropertyValueView,PropertyView,RoleSearch,RoleView,UnitCreate,UnitDelete,UnitModify,UnitSearch,UnitView,UserCreate,UserModify,UserSearch,UserView,PropertyAttributeAccessOverride,CollectionView,GenerateReport,SearchResultsExport,EnterpriseAuthorizationSearch,EnterpriseAuthorizationView,EnterpriseRoleMemberSearch,EnterpriseRoleView,AuthorizationEnterpriseRoleSearch,AuthorizationEnterpriseRoleView
--- a/patterns/6df66943ca713eed2a25d935_labels/labels.zip
+++ b/patterns/6df66943ca713eed2a25d935_labels/labels.zip
--- a/patterns/6df66943ca713eed2a25d935_template/webdata.zip
+++ b/patterns/6df66943ca713eed2a25d935_template/webdata.zip
--- a/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip
+++ b/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip
--- a/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip
+++ b/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip
--- a/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip
+++ b/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip
--- a/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip
+++ b/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip
--- a/patterns/ExternalIngressSettings_f86835f0958316e9fd505e0a.yml
+++ b/patterns/ExternalIngressSettings_f86835f0958316e9fd505e0a.yml
@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "f86835f0958316e9fd505e0a"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.GenericIngressSettings"
+  name: "ExternalIngressSettings"
+  label: "Operations"
+  properties:
+    annotations: "var://externalingresssettings-annotations"
+    ingressClassName: "var://externalingresssettings-class-name"
--- a/patterns/InternalIngressSettings_627ae22025e4d3bd7654239e.yml
+++ b/patterns/InternalIngressSettings_627ae22025e4d3bd7654239e.yml
@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "627ae22025e4d3bd7654239e"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.GenericIngressSettings"
+  name: "InternalIngressSettings"
+  label: "Admin"
+  properties:
+    annotations: "var://internalingresssettings-annotations"
+    ingressClassName: "var://internalingresssettings-class-name"
--- a/patterns/NevisIdmRoleRequiredPolicy_3ccfece140b4bb464b3b7f51.yml
+++ b/patterns/NevisIdmRoleRequiredPolicy_3ccfece140b4bb464b3b7f51.yml
@ -0,0 +1,16 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3ccfece140b4bb464b3b7f51"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthorizationPolicy"
+  name: "NevisIdmRoleRequiredPolicy"
+  properties:
+    requiredRoles:
+    - "nevisIdm.Helpdesk"
+    - "nevisIdm.TemplateAdmin"
+    - "nevisIdm.UserAndUnitAdmin"
+    - "nevisIdm.AppAdmin"
+    - "nevisIdm.UserAdmin"
+    - "nevisIdm.AppOwner"
+    - "nevisIdm.EnterpriseRoleAdmin"
+    - "nevisIdm.ClientRoot"
+    forbiddenRoles: "nevisIdm.Root"
--- a/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
+++ b/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "9c6ad44795320a7adec1ccde"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
+  name: "Security Response Headers"
+  properties:
+    responseHeaders: "var://security-response-headers-response-headers"
--- a/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
+++ b/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
@ -10,6 +10,8 @@ pattern:
    addresses: "var://virtual_host_idmadmin-frontend-addresses"
    defaultEntry: "/nevisidm/admin/"
    resources: "res://1200a58c76686d520c21edb0#resources"
+    securityHeaders: "custom"
    addons:
    - "pattern://58ece0328f5bf4d78e1a82d2"
    - "pattern://076ce5c5440843a23150b386"
+    - "pattern://9c6ad44795320a7adec1ccde"
--- a/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
+++ b/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
@ -11,7 +11,9 @@ pattern:
    defaultEntry: "/nevisidm/admin/"
    resources: "res://39ecde9a0d101628fed3e3be#resources"
    requireClientCert: "disabled"
+    securityHeaders: "custom"
    addons:
    - "pattern://58ece0328f5bf4d78e1a82d2"
    - "pattern://076ce5c5440843a23150b386"
    - "pattern://d9c194064d834ad41843ff4e"
+    - "pattern://9c6ad44795320a7adec1ccde"
--- a/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
+++ b/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
@ -15,3 +15,5 @@ pattern:
    - "pattern://271d024334021208b71ac80a"
    selfAdmin: "disabled"
    apiAccess: "disabled"
+    addons:
+    - "pattern://3ccfece140b4bb464b3b7f51"
--- a/patterns/nevisProxy_Instance_IDM_3bc06037962ad13be0a3a95d.yml
+++ b/patterns/nevisProxy_Instance_IDM_3bc06037962ad13be0a3a95d.yml
@ -10,3 +10,4 @@ pattern:
    - "pattern://1200a58c76686d520c21edb0"
    addons:
    - "pattern://31ae68f6cc8ade7258adce8d"
+    - "pattern://627ae22025e4d3bd7654239e"
--- a/patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml
+++ b/patterns/operations_nevisProxy_Instance_bd83dfbd467e8211ffe71d28.yml
@ -10,3 +10,4 @@ pattern:
    - "pattern://39ecde9a0d101628fed3e3be"
    addons:
    - "pattern://31ae68f6cc8ade7258adce8d"
+    - "pattern://f86835f0958316e9fd505e0a"
--- a/variables.yml
+++ b/variables.yml
@ -50,13 +50,6 @@ variables:
      secretPreserving: true
    value: null
    requireOverloading: true
-  cert-login-root-ca:
-    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
-    parameters:
-      required: false
-      syntax: "YAML"
-    value: null
-    requireOverloading: true
  cert-login-template-parameters:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
    parameters:
@ -64,6 +57,21 @@ variables:
      syntax: "YAML"
    value: "caFile.pem"
    requireOverloading: true
+  externalingresssettings-annotations:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - ":"
+      switchedSeparators: []
+    value: null
+    requireOverloading: true
+  externalingresssettings-class-name:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+    value: "nginx"
+    requireOverloading: true
  greenmail-backend-addresses:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
    parameters:
@ -307,6 +315,21 @@ variables:
      maxAllowed: 1
    value: "nginx"
    requireOverloading: true
+  internalingresssettings-annotations:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - ":"
+      switchedSeparators: []
+    value: null
+    requireOverloading: true
+  internalingresssettings-class-name:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+    value: "nginx"
+    requireOverloading: true
  nevisauth-log-settings-log-levels:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
    parameters:
@ -724,6 +747,16 @@ variables:
      format: "^[^\\s,]*$"
    value: "https://op.agov-d.azure.adnovum.net/SAML2/ACS/"
    requireOverloading: true
+  security-response-headers-response-headers:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      minRequired: 1
+      separators:
+      - ":"
+      switchedSeparators: []
+    value:
+    - X-Content-Type-Options: "nosniff"
+    requireOverloading: true
  technical_trust_store-additional-trusted-certificates:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
    parameters: