2 files added and 12 files updated

2024-11-22 07:41:13 +00:00 · 2024-11-22 07:41:13 +00:00 · a9251b958b
parent c1eb3fda18
commit a9251b958b
17 changed files with 83 additions and 9 deletions
--- a/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip
+++ b/patterns/1200a58c76686d520c21edb0_resources/resources-op.zip
--- a/patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml
+++ b/patterns/24cbc652d3166c8374eda3cd_authStatesFile/UpdateUserIfNeeded.xml
@ -2,10 +2,10 @@
 	<ResultCond name="emailaddressDidntChange,givennameDidntChange,surnameDidntChange,languageDidntChange" next="${state.done}"/>
 	<ResultCond name="default" next="${state.entry}_Update"/>
 	<Response value="AUTH_ERROR"/>
-	<property name="condition:emailaddressDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', 'missing').equals(sess.get('ch.nevis.idm.User.email')) }"/>
-	<property name="condition:givennameDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', 'missing').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
-	<property name="condition:surnameDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', 'missing').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
-	<property name="condition:languageDidntChange" value="#{ notes.getProperty('saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance', 'missing').equals(sess.get('ch.nevis.idm.User.language')) }"/>
+	<property name="condition:emailaddressDidntChange" value="#{ !sess.containsKey('idp.email') or sess.get('idp.email').equals(sess.get('ch.nevis.idm.User.email')) }"/>
+	<property name="condition:givennameDidntChange" value="#{ !sess.containsKey('idp.firstName') or sess.get('idp.firstName').equals(sess.get('ch.nevis.idm.User.firstName')) }"/>
+	<property name="condition:surnameDidntChange" value="#{ !sess.containsKey('idp.lastName') or sess.get('idp.lastName').equals(sess.get('ch.nevis.idm.User.lastName')) }"/>
+	<property name="condition:languageDidntChange" value="#{ !sess.containsKey('idp.language') or sess.get('idp.language').equals(sess.get('ch.nevis.idm.User.language')) }"/>
 </AuthState>
 <AuthState name="${state.entry}_Update" class="ch.nevis.idm.authstate.IdmSetPropertiesState" final="false" resumeState="false">
 	<ResultCond name="emailExists" next="${state.entry}_AuditError"/>
--- a/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip
+++ b/patterns/39ecde9a0d101628fed3e3be_resources/resources-op.zip
--- a/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
+++ b/patterns/488949a743edb1f46f73f232_scriptFile/setUserExtIdFromAssertion.groovy
@ -1,10 +1,10 @@
 try {
  def s = request.getAuthSession(true)

-  LOG.info("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
-  LOG.info("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")
-
+  LOG.debug("operationsExtId: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']}")
+  LOG.debug("operationsUserProfileExtIdList: ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']}")

+  // set operation's account extId and profile extid
  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'] == null || notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId'] == null) {
    LOG.error("[OPACCESS] User ${notes['saml.assertion.subject']} tried to access without operations account or profile")
    response.setResult('error');
@ -13,6 +13,20 @@ try {

  response.setSessionAttribute('operationsExtId', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId'])

+  // extract additional attributes from assertion in session
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname']) {
+    response.setSessionAttribute('idp.firstName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'])
+  }
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']) {
+    response.setSessionAttribute('idp.lastName', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'])
+  }
+  if (notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) {
+    response.setSessionAttribute('idp.email', notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'])
+  }
+  if (notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance']) {
+    response.setSessionAttribute('idp.language', notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/languageOfCorrespondance'])
+  }
+
  // we take the first one, if there is no profile in the operations unit
  def unitAndProfileExtidPar = notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserProfileExtId']
    .split(',').find{pairstr -> pairstr.split("\\\\")[1]  == "${var.operations-unitExtId}" } 
@ -22,8 +36,21 @@ try {
  {
    LOG.info("[OPACCESS] User ${notes['saml.assertion.subject']} with opaccount ${notes['saml.attributes.http://schemas.agov.ch/ws/2023/05/identity/claims/operationsUserExtId']} has no operations profile, we use the first one")
  }
-
  response.setSessionAttribute('operationsProfileExtId', unitAndProfileExtidPar.split("\\\\")[0])
+
+  // ad role based on agov aq level
+  def acrToRoleMap = [ 'urn:qa.agov.ch:names:tc:ac:classes:100':'AGOV-Loi.level100',
+    'urn:qa.agov.ch:names:tc:ac:classes:200':'AGOV-Loi.level200',
+    'urn:qa.agov.ch:names:tc:ac:classes:300':'AGOV-Loi.level300',
+    'urn:qa.agov.ch:names:tc:ac:classes:400':'AGOV-Loi.level400',
+    'urn:qa.agov.ch:names:tc:ac:classes:500':'AGOV-Loi.level500'
+  ]
+
+  if (acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']?='none']) {
+    response.addActualRole(acrToRoleMap[session['ch.nevis.auth.saml.assertion.authnContextClassRef']])
+  }
+
+
  response.setResult('ok');  

 } catch(Exception ex) {
--- a/patterns/6df66943ca713eed2a25d935_labels/labels.zip
+++ b/patterns/6df66943ca713eed2a25d935_labels/labels.zip
--- a/patterns/6df66943ca713eed2a25d935_template/webdata.zip
+++ b/patterns/6df66943ca713eed2a25d935_template/webdata.zip
--- a/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip
+++ b/patterns/6f9c9f982dcc7ef59a34f1f7_labels/labels.zip
--- a/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip
+++ b/patterns/6f9c9f982dcc7ef59a34f1f7_template/webdata.zip
--- a/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip
+++ b/patterns/7518c6cc61e47eec6322ae17_labels/labels.zip
--- a/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip
+++ b/patterns/7518c6cc61e47eec6322ae17_template/webdata.zip
--- a/patterns/AgovAq300AuthorizationPolicy_088e03c92ee8a5168b030e9e.yml
+++ b/patterns/AgovAq300AuthorizationPolicy_088e03c92ee8a5168b030e9e.yml
@ -0,0 +1,10 @@
+schemaVersion: "1.0"
+pattern:
+  id: "088e03c92ee8a5168b030e9e"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.AuthorizationPolicy"
+  name: "AgovAq300AuthorizationPolicy"
+  properties:
+    requiredRoles:
+    - "AGOV-Loi.level300"
+    - "AGOV-Loi.level400"
+    - "AGOV-Loi.level500"
--- a/patterns/ArtReporting_4da72abf93d79d0698250e39.yml
+++ b/patterns/ArtReporting_4da72abf93d79d0698250e39.yml
@ -10,6 +10,7 @@ pattern:
    realm:
    - "pattern://7518c6cc61e47eec6322ae17"
    addons:
+    - "pattern://088e03c92ee8a5168b030e9e"
    - "pattern://ae3127e7a6869fea8b850ad9"
    backends: "var://artreporting-backend-addresses"
    hostnameCheck: "disabled"
--- a/patterns/IDM_Prune_Operations_Accounts_Job_b4ede97e934bb0fc17c60976.yml
+++ b/patterns/IDM_Prune_Operations_Accounts_Job_b4ede97e934bb0fc17c60976.yml
@ -0,0 +1,30 @@
+schemaVersion: "1.0"
+pattern:
+  id: "b4ede97e934bb0fc17c60976"
+  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMGenericBatchJob"
+  name: "IDM Prune Operations Accounts Job"
+  label: "Batch"
+  notes: "Archive accounts after 30d of disabling and delete them after a year (335d\
+    \ later)\nruns daily at 01:30"
+  properties:
+    job: "<bean id=\"pruneOperationsAccountsJob\"  class=\"org.springframework.scheduling.quartz.JobDetailFactoryBean\"\
+      >\n    <property name=\"description\" value=\"Archive and delete obsolete shadow\
+      \ accounts\"/>\n    <property name=\"jobClass\" value=\"ch.nevis.idm.batch.jobs.UpdateUserStateJob\"\
+      />\n    <property name=\"durability\" value=\"true\"/>\n    <property name=\"\
+      jobDataMap\">\n        <bean class=\"org.quartz.JobDataMap\">\n            <constructor-arg>\n\
+      \                <map>\n                    <entry key=\"daysNoActivity\" value=\"\
+      -1\"/>\n                    <entry key=\"considerUsersNeverLoggedIn\" value=\"\
+      true\"/>\n                    <entry key=\"sendWarning\" value=\"false\"/>\n\
+      \                    <entry key=\"daysGracePeriod\" value=\"1\"/>\n        \
+      \            <entry key=\"daysStatusDisabled\" value=\"30\"/>\n            \
+      \        <entry key=\"daysStatusArchived\" value=\"335\"/>\n               \
+      \     <entry key=\"disableOutdatedUsers\" value=\"true\"/>\n               \
+      \     <entry key=\"disableNotYetActiveUsers\" value=\"false\"/>\n          \
+      \          <entry key=\"excludeTechnicalUsers\" value=\"true\"/>\n         \
+      \           <entry key=\"restrictToClients\" value=\"d9a334a6-b6f5-4982-a24e-13ae095a60fa\"\
+      />\n                </map>\n            </constructor-arg>\n        </bean>\n\
+      \    </property>\n</bean>\n"
+    trigger: "<bean id=\"pruneOperationsAccountsJobTrigger\" class=\"org.springframework.scheduling.quartz.CronTriggerFactoryBean\"\
+      >\n    <property name=\"description\" value=\"Archive and delete obsolete operations\
+      \ accounts\"/>\n    <property name=\"jobDetail\" ref=\"pruneOperationsAccountsJob\"\
+      />\n    <property name=\"cronExpression\" value=\"30 1 0 * * ?\"/>\n</bean>"
--- a/patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml
+++ b/patterns/IDM_Prune_Shadow_Accounts_Job_3600b7d00b6427226e451f8d.yml
@ -4,6 +4,8 @@ pattern:
  className: "ch.nevis.admin.v4.plugin.nevisidm.patterns.NevisIDMGenericBatchJob"
  name: "IDM Prune Shadow Accounts Job"
  label: "Batch"
+  notes: "Archive accounts after 15d of disabling and delete them after 100 days\n\
+    runs daily at 00:30"
  properties:
    job: "<bean id=\"pruneShadowAccountsJob\"  class=\"org.springframework.scheduling.quartz.JobDetailFactoryBean\"\
      >\n    <property name=\"description\" value=\"Archive and delete obsolete shadow\
--- a/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
+++ b/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
@ -5,7 +5,8 @@ pattern:
  name: "nevisIDM Custom Property verificationTransactionId"
  properties:
    propertyName: "verificationTransactionId"
+    uniquenessScope: "ABSOLUTE"
    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
    maxLength: "50"
-    accessModify: "READ_WRITE"
+    accessModify: "READ_ONLY"
    accessCreate: "READ_WRITE"
--- a/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
+++ b/patterns/nevisIDM_Operations_Administration_GUI_13ea034de32c190083ba9e35.yml
@ -15,3 +15,5 @@ pattern:
    - "pattern://271d024334021208b71ac80a"
    selfAdmin: "disabled"
    apiAccess: "disabled"
+    addons:
+    - "pattern://088e03c92ee8a5168b030e9e"
--- a/patterns/nevisIDM_batch_641ac4edf0c17383d3c0ea38.yml
+++ b/patterns/nevisIDM_batch_641ac4edf0c17383d3c0ea38.yml
@ -26,3 +26,4 @@ pattern:
    - "pattern://3600b7d00b6427226e451f8d"
    - "pattern://50d6c91ace65f52fa56d7113"
    - "pattern://f4e909fcaf0ae3f6effb28ae"
+    - "pattern://b4ede97e934bb0fc17c60976"