80 lines
2.8 KiB
Groovy
80 lines
2.8 KiB
Groovy
import groovy.json.JsonSlurper
|
|
|
|
def cleanSession(boolean rpcodeToo) {
|
|
def s = request.getAuthSession(true)
|
|
|
|
if (rpcodeToo) {
|
|
s.removeAttribute('agov.ident.rpcode.backup')
|
|
s.removeAttribute('agov.ident.rpcode')
|
|
s.removeAttribute('agov.ident.entityId')
|
|
}
|
|
def sessionKeySet = new HashSet(session.keySet())
|
|
sessionKeySet.each { key ->
|
|
if ( key ==~ /ch.nevis.auth.saml..*/ ) {
|
|
LOG.debug("Deleted session attribute '${key}'")
|
|
s.removeAttribute(key)
|
|
}
|
|
}
|
|
}
|
|
|
|
// for auditing
|
|
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
|
|
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
|
|
def referer = request.getLoginContext()['connection.HttpHeader.referer'] ?: request.getLoginContext()['connection.HttpHeader' +
|
|
'.Referer'] ?: '-'
|
|
def origin = request.getLoginContext()['connection.HttpHeader.origin'] ?: request.getLoginContext()['connection.HttpHeader' +
|
|
'.Origin'] ?: '-'
|
|
|
|
// 0) clean up, if we have a SAML Response in session
|
|
if (session['ch.nevis.auth.saml.response.id']) {
|
|
// keep rpcode in session, if retrying after SAML error
|
|
def keepRpcode = session['ch.nevis.auth.saml.response.statusCode'] == 'urn:oasis:names:tc:SAML:2.0:status:Responder'
|
|
cleanSession(!keepRpcode)
|
|
}
|
|
|
|
// 1) we need to know the code of the RP
|
|
def rpcode = inargs['rpcode'] ?: inargs['RelayState'] ?: session['agov.ident.rpcode']
|
|
def rpcodeBackup = session['agov.ident.rpcode']
|
|
def rpentity = '-'
|
|
|
|
if (rpcode)
|
|
{
|
|
if (rpcodeBackup) {
|
|
response.setSessionAttribute('agov.ident.rpcode.backup', rpcodeBackup)
|
|
}
|
|
response.setSessionAttribute('agov.ident.rpcode', rpcode)
|
|
} else {
|
|
cleanSession(true)
|
|
LOG.info("Event='IDENT-INVALIDREQ', rpcode='missing', SourceIp=${sourceIp}, UserAgent=${userAgent}, Referer='${referer}', Origin='${origin}'")
|
|
response.setResult('inavlidurl')
|
|
return
|
|
}
|
|
|
|
// 2) load rp settings in session (if needed)
|
|
if (rpcode != rpcodeBackup) {
|
|
def slurper = new JsonSlurper()
|
|
def rpMap = slurper.parseText(parameters['rpcode.list'])
|
|
LOG.debug(">>> rpMaP: ${rpMap}")
|
|
if (!rpMap[rpcode]) {
|
|
cleanSession(true)
|
|
LOG.info("Event='IDENT-INVALIDREQ', rpcode='${rpcode}', SourceIp=${sourceIp}, UserAgent=${userAgent}, Referer='${referer}', Origin='${origin}'")
|
|
response.setResult('inavlidurl')
|
|
return
|
|
}
|
|
rpentity=rpMap[rpcode]
|
|
response.setSessionAttribute('agov.ident.entityId', rpMap[rpcode])
|
|
}
|
|
|
|
// 3) if we have a response ...
|
|
if (inargs['SAMLResponse']) {
|
|
response.setResult('processResponse')
|
|
return
|
|
}
|
|
|
|
// 4) otherwise
|
|
LOG.info("Event='IDENT-INITREQ', rpcode='${rpcode}', rpentity='${rpentity}', SourceIp=${sourceIp}, UserAgent=${userAgent}, Referer='${referer}', " +
|
|
"Origin='${origin}'")
|
|
response.setResult('sendAuthnRequest')
|
|
return
|
|
|