From 0e04da9e17b96464b568874899391fca1950cc43 Mon Sep 17 00:00:00 2001 From: haburger Date: Wed, 5 Mar 2025 06:15:34 +0000 Subject: [PATCH] new configuration version --- ...8s-nevisauth-7022472ae407577ae604bbb8.yaml | 2 +- .../opt/nevisauth/default/conf/esauth4.xml | 4 +++- .../default/conf/requestedrolelevel.groovy | 19 ++++++++++++------- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml index 6e9827c..19e9634 100644 --- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml +++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml @@ -45,7 +45,7 @@ spec: podDisruptionBudget: maxUnavailable: "50%" git: - tag: "r-20ae46349f67d35e89254106268a3ee7b00877de" + tag: "r-b95c8e57793f4462c7fef2b90b04dd0225d1b9e1" dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth" credentials: "git-credentials" keystores: diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml index 23cd04a..4016cc2 100644 --- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml +++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml @@ -168,7 +168,9 @@ - + + + diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy index 059c687..899ebeb 100644 --- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy +++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy @@ -44,11 +44,14 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown' def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown' def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown' -LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'") +def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ',' +def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',') +def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ',' +def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',') + +LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'") -def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ',' -def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',') if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) { response.setResult('error'); @@ -71,16 +74,18 @@ try { def json = jsonSlurper.parseText(httpResponse.bodyAsString()) LOG.debug('AdressRequired: ' + json.addrRequired) LOG.debug('SvnrAllowed: ' + json.svnrAllowed) - LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist) + LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress) + LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr) // address will be returned to the application if allowed by connect (json.addrRequired) // and the authRequest was done with at least AGOVaq 200 - // BITBKAGOVSUP-362: or whitelisted to receive the address - session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist))) + // BUNDBITBK-4307: or best token for address is enabled + session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress))) // address will be returned to the application if allowed by connect (json.svnrAllowed) // and the authRequest was done with at least AGOVaq 300 - session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300)) + // BUNDBITBK-4307: or best token for svnr is enabled + session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr))) session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe) session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)