1.7.5 RC1

2024-11-29 09:05:47 +00:00 · 2024-11-29 09:05:47 +00:00 · f39dc39c4b
parent e67bd0f553
commit f39dc39c4b
11 changed files with 75 additions and 11 deletions
--- a/patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml
+++ b/patterns/2787b678d9cce5310a335419_authStatesFile/OpOnbrdng-PreProcessing.xml
@ -10,6 +10,7 @@
 	</Response>
 	<property name="scriptTraceGroup" value="AGOVOP-ACCT"/>
 	<property name="script" value="file:///var/opt/nevisauth/default/conf/OpOnbrdng-PreProcessing.groovy"/>
+    <property name="parameter.cookie.domain" value=".${var.admin-language-cookie-domain}"/>
 </AuthState>
 <AuthState name="${state.entry}_VerifyURLTicket" class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" final="false" resumeState="false">
 	<ResultCond name="ok" next="${state.entry}_IdmPostProcessing" authLevel="auth.weak"/>
--- a/patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy
+++ b/patterns/2787b678d9cce5310a335419_resources/OpOnbrdng-PreProcessing.groovy
@ -55,6 +55,12 @@ if (inargs['cd'] != null) {
 // 2b) clean the url, if necessary
 if (request.currentResource.replaceAll('^https:\\/\\/[^\\/]+\\/AUTH\\/ONBOARDING\\/', '').length() > 0) {

+  if (inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
+    // language change, set the language cookie
+    def langCookie = "LANG=${inargs['language']}; Domain=${parameters.get('cookie.domain')}; Path=/"
+    response.setHeader('Set-Cookie', langCookie)
+  }
+
  response.setStatus(AuthResponse.AUTH_CONTINUE)
  response.setTransferDestination('/AUTH/ONBOARDING/')
  response.setIsRedirectTransfer(true)
--- a/patterns/29a7ba8eaff67eb26d2394bc_script/setCspHeaders.lua
+++ b/patterns/29a7ba8eaff67eb26d2394bc_script/setCspHeaders.lua
@ -0,0 +1,18 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    cspHeader = response:getHeader("content-security-policy")
+    if (cspHeader ~= nil) then 
+        trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
+    else
+        trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
+        response:setHeader("content-security-policy", param_csp)
+    end
+
+    if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
+        trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
+        response:setHeader("content-security-policy-report-only", param_report_only_csp)
+    else
+        trace:debug("AGOV CSP: No report only CSP-header set")
+    end
+end
--- a/patterns/Base_Security_Response_Headers_36886a1934993d1f69690e1d.yml
+++ b/patterns/Base_Security_Response_Headers_36886a1934993d1f69690e1d.yml
@ -0,0 +1,18 @@
+schemaVersion: "1.0"
+pattern:
+  id: "36886a1934993d1f69690e1d"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
+  name: "Base Security Response Headers"
+  label: "PROXY"
+  notes: "The security response headers, which are environment independent and/or\
+    \ static"
+  properties:
+    responseHeaders:
+    - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
+    - X-Content-Type-Options: "nosniff"
+    - Referrer-Policy: "strict-origin-when-cross-origin"
+    - X-Frame-Options: "DENY"
+    - Cross-Origin-Opener-Policy: "same-origin"
+    - Cross-Origin-Embedder-Policy: "require-corp"
+    - Cross-Origin-Resource-Policy: "same-site"
+    - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
--- a/patterns/CSP_Security_Response_Headers_29a7ba8eaff67eb26d2394bc.yml
+++ b/patterns/CSP_Security_Response_Headers_29a7ba8eaff67eb26d2394bc.yml
@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "29a7ba8eaff67eb26d2394bc"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+  name: "CSP Security Response Headers"
+  properties:
+    script: "res://29a7ba8eaff67eb26d2394bc#script"
+    phase: "BEFORE_SANITATION"
+    parameters: "var://csp-security-response-headers"
--- a/patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml
+++ b/patterns/OP-ONBRDNG-AuthenticationRealm_6df66943ca713eed2a25d935.yml
@ -16,6 +16,7 @@ pattern:
    labels: "res://6df66943ca713eed2a25d935#labels"
    labelsMode: "combined"
    defaultLabels: "enabled"
+    defaultProperties: "var://nevislogrend-configuration-logrendproperties"
    sessionTracking: "COOKIE"
    cookieName: "OP-ONBRDNG"
    cookieSameSite: "Lax"
--- a/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
+++ b/patterns/Security_Response_Headers_9c6ad44795320a7adec1ccde.yml
@ -1,7 +0,0 @@
-schemaVersion: "1.0"
-pattern:
-  id: "9c6ad44795320a7adec1ccde"
-  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
-  name: "Security Response Headers"
-  properties:
-    responseHeaders: "var://security-response-headers-response-headers"
--- a/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
+++ b/patterns/Virtual_Host_idmAdmin_1200a58c76686d520c21edb0.yml
@ -14,4 +14,5 @@ pattern:
    addons:
    - "pattern://58ece0328f5bf4d78e1a82d2"
    - "pattern://076ce5c5440843a23150b386"
-    - "pattern://9c6ad44795320a7adec1ccde"
+    - "pattern://29a7ba8eaff67eb26d2394bc"
+    - "pattern://36886a1934993d1f69690e1d"
--- a/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
+++ b/patterns/Virtual_Host_idmOperations_39ecde9a0d101628fed3e3be.yml
@ -16,4 +16,5 @@ pattern:
    - "pattern://58ece0328f5bf4d78e1a82d2"
    - "pattern://076ce5c5440843a23150b386"
    - "pattern://d9c194064d834ad41843ff4e"
-    - "pattern://9c6ad44795320a7adec1ccde"
+    - "pattern://36886a1934993d1f69690e1d"
+    - "pattern://29a7ba8eaff67eb26d2394bc"
--- a/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
+++ b/patterns/nevisIDM_Custom_Property_verificationTransactionId_706cabed89317b5e9ebd814f.yml
@ -5,7 +5,6 @@ pattern:
  name: "nevisIDM Custom Property verificationTransactionId"
  properties:
    propertyName: "verificationTransactionId"
-    uniquenessScope: "ABSOLUTE"
    clientExtId: "var://nevisidm-custom-property-svnr-client-external-id-agovs"
    maxLength: "50"
    accessModify: "READ_ONLY"
--- a/variables.yml
+++ b/variables.yml
@ -5,7 +5,7 @@ variables:
    parameters:
      minRequired: 0
      maxAllowed: 1
-    value: "contoso.org"
+    value: "agov.admin.ch"
    requireOverloading: true
  agov_admin_idm-db-management:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
@ -57,6 +57,23 @@ variables:
      syntax: "YAML"
    value: "caFile.pem"
    requireOverloading: true
+  csp-security-response-headers:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - "="
+      switchedSeparators: []
+    value:
+    - param_csp: "default-src 'none'; script-src 'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM='\
+        \ 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo='\
+        \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:;\
+        \ child-src blob:; connect-src 'self' https://api.friendlycaptcha.com/api/v1/puzzle;\
+        \ img-src 'self'; style-src 'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls\
+        \ https://me.agov-d.azure.adnovum.net/registration/api/login/saml2/sso/agovidpdirect\
+        \ https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect;\
+        \ font-src 'self';"
+    - param_report_only_csp: "none"
+    requireOverloading: true
  externalingresssettings-annotations:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
    parameters: