new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-d19a190ffad492ab91a9ed98a565105e0bd12bf5"
+    tag: "r-76bb710ec35345bf5eb9149c3a3542ee7e23a2eb"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml

@@ -1753,8 +1753,6 @@
             <property name="script" value="file:///var/opt/nevisauth/default/conf/sanitizeAndDispatchRecoveryEmailInput.groovy"/>
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
-            <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="cancel" next="Auth_Realm_Recovery_Auth_Failed"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="confirm" next="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicket"/>
             <!-- source: pattern://584964c837512845d7940809 -->
@@ -1882,18 +1880,6 @@
             <!-- source: pattern://584964c837512845d7940809 -->
             <property name="sess:agov.recovery.email" value="${inargs:email}"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Recovery_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
-            <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
-                <Gui name="Error">
-                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
-                    <GuiElem name="info" type="error" label="error_99"/>
-                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
-                    <GuiElem name="submit" type="button" label="continue.button.label"/>
-                </Gui>
-            </Response>
-        </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicket" class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" final="false" resumeState="true">
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="failed" next="Auth_Realm_Recovery_Recovery_Auth_invalidateCode"/>
@@ -2046,6 +2032,18 @@
             <!-- source: pattern://584964c837512845d7940809 -->
             <property name="detaillevel.credential" value="HIGH"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Recovery_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
+            <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                <Gui name="Error">
+                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+            </Response>
+        </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_emailSent_screen" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
             <!-- source: pattern://6364d27d1ca954be8ef7cb46 -->
             <ResultCond name="default" next="Auth_Realm_Recovery_Recovery_emailSent_screen"/>
@@ -2175,25 +2173,25 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin" class="ch.nevis.idm.authstate.IdmPasswordVerifyState" final="true" resumeState="true">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="clientNotFound" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
+            <ResultCond name="clientNotFound" next="Auth_Realm_Recovery_Auth_Failed"/>
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="disabled" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
+            <ResultCond name="disabled" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="failed" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="lockWarn" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="locked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
+            <ResultCond name="locked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="no_code-true" next="Auth_Realm_Recovery_Recovery_getCredentials"/>
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="nowLocked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
+            <ResultCond name="nowLocked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_Auth_codeVerified"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="pwChange" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="tmpLocked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
+            <ResultCond name="tmpLocked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <Response value="AUTH_CONTINUE">
                 <!-- source: pattern://584964c837512845d7940809 -->
@@ -2299,13 +2297,6 @@
             <!-- source: pattern://6061abea33a234fad73897b7 -->
             <property name="out.audienceRestriction" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
-            <!-- source: pattern://584964c837512845d7940809 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://584964c837512845d7940809 -->
-                <Gui name="recovery_check_noCode"/>
-            </Response>
-        </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="default" next="Auth_Realm_Recovery_Recovery_getCredentials"/>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy

@@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
     "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
 ]
 
+// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+
 def getUserIdVerificationForRecovery(currentLoaRole) {
   // application is AGOV-AccountStatus
   def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
   try {
     def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
     def userState = userDto.state
+    def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
+
     LOG.debug("Recovery: Dto is '${userDto}")
     LOG.debug("Recovery: state is '${userState}")
+    LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCredential : 'none'}'") 
     def session = request.getAuthSession(true)
 
     if (userState == 'ACTIVE') {
@@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
           response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
 
           if ((maxLoi == 'level100') && (mustRecover == null)) {
+            // AQ100 accounts need to used the recovery code, if they can
+            // check the status of recoveryCode credential
+            if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
+              LOG.debug("Recovery: emailAndCode")
+              response.setResult('needCode')
+              return
+            } else {
+             LOG.warning("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
+             response.setResult('ok')
+              return
+            }
+
             // mustRecover role not set, so code needs to be checked
-            LOG.debug("Recovery: emailAndCode")
-            response.setResult('needCode')
-            return
           } else {
             LOG.debug("Recovery: email")
             response.setResult('ok')