nevis
/
adn-agov-iam-admin-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
adn-agov-iam-admin-project/patterns/fd3912c7af7a88b6342a4c78_re.../OpOnbrdng-PostProcessing.gr...

79 lines
3.8 KiB
Groovy
Raw Blame History

import ch.nevis.esauth.auth.engine.AuthResponse
// for autditing
def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
def minLoi = session['agov.op.onboarding.minLoi'] ?: 'unknown'
if (session['agov.op.onboarding.process.state'] == null) {
// 0) remove SAMLResponse, to avoid multiple processing
request.getInArgs().remove("SAMLResponse")
// check status
if (notes['saml.response.statusCode'] == 'urn:oasis:names:tc:SAML:2.0:status:Success') {
// we have to do the checks.
// 1) compare email
if (!notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'].equalsIgnoreCase(session['ch.nevis.idm.User.email'])) {
def lasterrorinfo = "email don't match: idm=${session['ch.nevis.idm.User.email']} idp=${notes['saml.attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']}"
response.setNote('lasterror', '9902')
response.setNote('lasterrorinfo', lasterrorinfo)
LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent=${userAgent}, lasterror=${response.getNote('lasterror')}, lasterrorinfo='${lasterrorinfo}'")
response.setStatus(AuthResponse.AUTH_ERROR)
return
}
def homeName = notes['saml.attributes.http://schemas.eiam.admin.ch/ws/2013/12/identity/claims/fp/homeName'] ?: 'unknown'
def subject = session['ch.nevis.auth.saml.assertion.subject'] ?: 'unknown'
if (homeName == 'unknown' || subject == 'unknown') {
def lasterrorinfo = "invalid info from IdP: subject=${subject} homeName=${homeName}"
response.setNote('lasterror', '9903')
response.setNote('lasterrorinfo', lasterrorinfo)
LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', lasterror=${response.getNote('lasterror')}, lasterrorinfo='${lasterrorinfo}'")
response.setStatus(AuthResponse.AUTH_ERROR)
return
}
// ok - create the credential
response.setSessionAttribute('agov.op.onboarding.process.state', 'createCredential')
response.setSessionAttribute('agov.op.onboarding.homeName', homeName)
response.setSessionAttribute('agov.op.onboarding.subject', subject)
response.setSessionAttribute('agov.op.onboarding.subject', session['ch.nevis.auth.saml.assertion.subject'] ?: 'unknown')
response.setResult('createSamlFedCredential')
return
} else {
def lasterrorinfo = "authentication by IdP failed: ${notes['saml.response.statusCode']}"
response.setNote('lasterror', '9903')
response.setNote('lasterrorinfo', lasterrorinfo)
LOG.info("Event='OP-FAILED', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', lasterror=${response.getNote('lasterror')}, lasterrorinfo='${lasterrorinfo}'")
response.setStatus(AuthResponse.AUTH_ERROR)
return
}
} else if (session['agov.op.onboarding.process.state'] == 'createCredential') {
// 2 Credential created, we or done
def responseId = session['ch.nevis.auth.saml.response.id']
def homeName = session['agov.op.onboarding.homeName'] ?: 'unknown'
def subject = session['agov.op.onboarding.subject'] ?: 'unknown'
LOG.info("Event='OP-SUCCESS', RequestedAq='${minLoi}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', ResponseID='${responseId}', subject='${subject}', homeName='${homeName}'")
response.setResult('done')
return
} else {
LOG.error("invalid state: ${session['agov.op.onboarding.process.state']}")
response.setNote('lasterror', '9909')
response.setNote('lasterrorinfo', 'internal error')
response.setResult('failure')
}
Reference in New Issue View Git Blame Copy Permalink