new configuration version

This commit is contained in:
haburger 2024-12-17 11:26:34 +00:00
parent 981280c631
commit 1c1b066431
3 changed files with 36 additions and 30 deletions

View File

@ -45,7 +45,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
tag: "r-d19a190ffad492ab91a9ed98a565105e0bd12bf5"
tag: "r-76bb710ec35345bf5eb9149c3a3542ee7e23a2eb"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
credentials: "git-credentials"
keystores:

View File

@ -1753,8 +1753,6 @@
<property name="script" value="file:///var/opt/nevisauth/default/conf/sanitizeAndDispatchRecoveryEmailInput.groovy"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="cancel" next="Auth_Realm_Recovery_Auth_Failed"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="confirm" next="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicket"/>
<!-- source: pattern://584964c837512845d7940809 -->
@ -1882,18 +1880,6 @@
<!-- source: pattern://584964c837512845d7940809 -->
<property name="sess:agov.recovery.email" value="${inargs:email}"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<Gui name="Error">
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<GuiElem name="info" type="error" label="error_99"/>
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<GuiElem name="submit" type="button" label="continue.button.label"/>
</Gui>
</Response>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_verifyUrlTicket" class="ch.nevis.idm.authstate.IdmURLTicketVerifyState" final="false" resumeState="true">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="failed" next="Auth_Realm_Recovery_Recovery_Auth_invalidateCode"/>
@ -2046,6 +2032,18 @@
<!-- source: pattern://584964c837512845d7940809 -->
<property name="detaillevel.credential" value="HIGH"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Auth_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<Gui name="Error">
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<GuiElem name="info" type="error" label="error_99"/>
<!-- source: pattern://473f9d6b4ab9d61c1eb8c689 -->
<GuiElem name="submit" type="button" label="continue.button.label"/>
</Gui>
</Response>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_emailSent_screen" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
<!-- source: pattern://6364d27d1ca954be8ef7cb46 -->
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_emailSent_screen"/>
@ -2175,25 +2173,25 @@
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin" class="ch.nevis.idm.authstate.IdmPasswordVerifyState" final="true" resumeState="true">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="clientNotFound" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<ResultCond name="clientNotFound" next="Auth_Realm_Recovery_Auth_Failed"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="disabled" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
<ResultCond name="disabled" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="failed" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="lockWarn" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="locked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
<ResultCond name="locked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="no_code-true" next="Auth_Realm_Recovery_Recovery_getCredentials"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="nowLocked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
<ResultCond name="nowLocked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_Auth_codeVerified"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="pwChange" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="tmpLocked" next="Auth_Realm_Recovery_Recovery_Auth_codeLocked"/>
<ResultCond name="tmpLocked" next="Auth_Realm_Recovery_Recovery_Auth_IdmUserIdPasswordLogin"/>
<!-- source: pattern://584964c837512845d7940809 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://584964c837512845d7940809 -->
@ -2299,13 +2297,6 @@
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="out.audienceRestriction" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
<!-- source: pattern://584964c837512845d7940809 -->
<Response value="AUTH_ERROR">
<!-- source: pattern://584964c837512845d7940809 -->
<Gui name="recovery_check_noCode"/>
</Response>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_getCredentials"/>

View File

@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
"level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
]
// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
def getUserIdVerificationForRecovery(currentLoaRole) {
// application is AGOV-AccountStatus
def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
try {
def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
def userState = userDto.state
def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
LOG.debug("Recovery: Dto is '${userDto}")
LOG.debug("Recovery: state is '${userState}")
LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCredential : 'none'}'")
def session = request.getAuthSession(true)
if (userState == 'ACTIVE') {
@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
if ((maxLoi == 'level100') && (mustRecover == null)) {
// mustRecover role not set, so code needs to be checked
// AQ100 accounts need to used the recovery code, if they can
// check the status of recoveryCode credential
if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
LOG.debug("Recovery: emailAndCode")
response.setResult('needCode')
return
} else {
LOG.warning("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
response.setResult('ok')
return
}
// mustRecover role not set, so code needs to be checked
} else {
LOG.debug("Recovery: email")
response.setResult('ok')