new configuration version
This commit is contained in:
parent
981280c631
commit
1c1b066431
|
@ -45,7 +45,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-d19a190ffad492ab91a9ed98a565105e0bd12bf5"
|
||||
tag: "r-76bb710ec35345bf5eb9149c3a3542ee7e23a2eb"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
|
@ -1753,8 +1753,6 @@
|
|||
<property name="script" value="file:///var/opt/nevisauth/default/conf/sanitizeAndDispatchRecoveryEmailInput.groovy"/>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="cancel" next="Auth_Realm_Recovery_Auth_Failed"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="confirm" next="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicket"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
|
@ -1882,18 +1880,6 @@
|
|||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<property name="sess:agov.recovery.email" value="${inargs:email}"/>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<Gui name="Error">
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<GuiElem name="info" type="error" label="error_99"/>
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
||||
</Gui>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicket" class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" final="false" resumeState="true">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="failed" next="Auth_Realm_Recovery_Recovery_Auth_invalidateCode"/>
|
||||
|
@ -2046,6 +2032,18 @@
|
|||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<property name="detaillevel.credential" value="HIGH"/>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<Gui name="Error">
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<GuiElem name="info" type="error" label="error_99"/>
|
||||
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
|
||||
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
||||
</Gui>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Recovery_emailSent_screen" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
|
||||
<!-- source: pattern://6364d27d1ca954be8ef7cb46 -->
|
||||
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_emailSent_screen"/>
|
||||
|
@ -2175,25 +2173,25 @@
|
|||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin" class="ch.nevis.idm.authstate.IdmPasswordVerifyState" final="true" resumeState="true">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="clientNotFound" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="clientNotFound" next="Auth_Realm_Recovery_Auth_Failed"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="disabled" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
|
||||
<ResultCond name="disabled" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="failed" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="lockWarn" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="locked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
|
||||
<ResultCond name="locked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="no_code-true" next="Auth_Realm_Recovery_Recovery_getCredentials"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="nowLocked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
|
||||
<ResultCond name="nowLocked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_Auth_codeVerified"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="pwChange" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="tmpLocked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
|
||||
<ResultCond name="tmpLocked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<Response value="AUTH_CONTINUE">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
|
@ -2299,13 +2297,6 @@
|
|||
<!-- source: pattern://6061abea33a234fad73897b7 -->
|
||||
<property name="out.audienceRestriction" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<Gui name="recovery_check_noCode"/>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
|
||||
<!-- source: pattern://584964c837512845d7940809 -->
|
||||
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_getCredentials"/>
|
||||
|
|
|
@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
|
|||
"level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
|
||||
]
|
||||
|
||||
// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
|
||||
def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
|
||||
|
||||
def getUserIdVerificationForRecovery(currentLoaRole) {
|
||||
// application is AGOV-AccountStatus
|
||||
def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
|
||||
|
@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
|
|||
try {
|
||||
def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
|
||||
def userState = userDto.state
|
||||
def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
|
||||
|
||||
LOG.debug("Recovery: Dto is '${userDto}")
|
||||
LOG.debug("Recovery: state is '${userState}")
|
||||
LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCredential : 'none'}'")
|
||||
def session = request.getAuthSession(true)
|
||||
|
||||
if (userState == 'ACTIVE') {
|
||||
|
@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
|
|||
response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
|
||||
|
||||
if ((maxLoi == 'level100') && (mustRecover == null)) {
|
||||
// mustRecover role not set, so code needs to be checked
|
||||
// AQ100 accounts need to used the recovery code, if they can
|
||||
// check the status of recoveryCode credential
|
||||
if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
|
||||
LOG.debug("Recovery: emailAndCode")
|
||||
response.setResult('needCode')
|
||||
return
|
||||
} else {
|
||||
LOG.warning("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
|
||||
response.setResult('ok')
|
||||
return
|
||||
}
|
||||
|
||||
// mustRecover role not set, so code needs to be checked
|
||||
} else {
|
||||
LOG.debug("Recovery: email")
|
||||
response.setResult('ok')
|
||||
|
|
Loading…
Reference in New Issue