diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
index adeb4f6..b72d350 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@@ -45,7 +45,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
- tag: "r-d19a190ffad492ab91a9ed98a565105e0bd12bf5"
+ tag: "r-76bb710ec35345bf5eb9149c3a3542ee7e23a2eb"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
credentials: "git-credentials"
keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index f2e406c..56426a7 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -1753,8 +1753,6 @@
-
-
@@ -1882,18 +1880,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
@@ -2046,6 +2032,18 @@
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2175,25 +2173,25 @@
-
+
-
+
-
+
-
+
-
+
@@ -2299,13 +2297,6 @@
-
-
-
-
-
-
-
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy
index 271f6c1..661c369 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy
@@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
"level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
]
+// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+
def getUserIdVerificationForRecovery(currentLoaRole) {
// application is AGOV-AccountStatus
def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
try {
def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
def userState = userDto.state
+ def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
+
LOG.debug("Recovery: Dto is '${userDto}")
LOG.debug("Recovery: state is '${userState}")
+ LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCredential : 'none'}'")
def session = request.getAuthSession(true)
if (userState == 'ACTIVE') {
@@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
if ((maxLoi == 'level100') && (mustRecover == null)) {
+ // AQ100 accounts need to used the recovery code, if they can
+ // check the status of recoveryCode credential
+ if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
+ LOG.debug("Recovery: emailAndCode")
+ response.setResult('needCode')
+ return
+ } else {
+ LOG.warning("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
+ response.setResult('ok')
+ return
+ }
+
// mustRecover role not set, so code needs to be checked
- LOG.debug("Recovery: emailAndCode")
- response.setResult('needCode')
- return
} else {
LOG.debug("Recovery: email")
response.setResult('ok')