new configuration version

2025-03-05 06:15:34 +00:00 · 2025-03-05 06:15:34 +00:00 · 0e04da9e17
parent d898d77a96
commit 0e04da9e17
3 changed files with 16 additions and 9 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -45,7 +45,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-20ae46349f67d35e89254106268a3ee7b00877de"
+    tag: "r-b95c8e57793f4462c7fef2b90b04dd0225d1b9e1"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
    credentials: "git-credentials"
  keystores:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@ -168,7 +168,9 @@
                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
            </Response>
            <!-- source: pattern://68665057549fd887ea09fb86 -->
-            <property name="parameter.appAddressRequired.whitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground"/>
+            <property name="parameter.bestTokenAddressWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground"/>
+            <!-- source: pattern://68665057549fd887ea09fb86 -->
+            <property name="parameter.bestTokenSvnrWhitelist" value="https://testapp-01.agov-d.azure.adnovum.net/test/api/saml2/service-provider-metadata/agovidp, OidcPlayground"/>
            <!-- source: pattern://68665057549fd887ea09fb86 -->
            <property name="parameter.url" value="https://utility.agov-d.azure.adnovum.net/connect/billing/relying-party"/>
            <!-- source: pattern://68665057549fd887ea09fb86 -->
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy
@ -44,11 +44,14 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
 def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
 def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'

-LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ','
+def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',')

+def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ','
+def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',')
+
+LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")

-def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ','
-def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',')

 if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
  response.setResult('error');
@ -71,16 +74,18 @@ try {
        def json = jsonSlurper.parseText(httpResponse.bodyAsString())
        LOG.debug('AdressRequired: ' + json.addrRequired)
        LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
-        LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist)
+        LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
+        LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr)

        // address will be returned to the application if allowed by connect (json.addrRequired) 
        // and the authRequest was done with at least AGOVaq 200
-        // BITBKAGOVSUP-362: or whitelisted to receive the address
-        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist)))
+        // BUNDBITBK-4307: or best token for address is enabled
+        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress)))

        // address will be returned to the application if allowed by connect (json.svnrAllowed) 
        // and the authRequest was done with at least AGOVaq 300
-        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300))
+        // BUNDBITBK-4307: or best token for svnr is enabled
+        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))

        session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
        session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)