nevis
/
adn-agov-iam-inventory
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new configuration version

This commit is contained in:
haburger 2025-02-06 16:23:53 +00:00
parent 63eda617f6
commit 2516fd0bcb
4 changed files with 84 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
View File

@ -45,7 +45,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
tag: "r-c7f7304e5441912a692611196c6e13ec89ee8c65"
tag: "r-a3e306d2c5cbd1ab8bde2a53d90c7c814c512a7f"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
credentials: "git-credentials"
keystores:

108
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
View File

@ -2100,7 +2100,7 @@
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="notFullyRegistered" next="Auth_Realm_Recovery_Recovery_sendEmail031b"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
<ResultCond name="ok" next="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect"/>
<!-- source: pattern://584964c837512845d7940809 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://584964c837512845d7940809 -->
@ -2231,26 +2231,17 @@
<!-- source: pattern://584964c837512845d7940809 -->
<property name="client.name" value="agov"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_authWithNewCredentials" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="default" next="Auth_Realm_Recovery_Auth_Failed"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="loginWithFido2" next="Auth_Realm_Recovery_Recovery_fido2Login"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="loginWithFidoUAF" next="Auth_Realm_Recovery_Recovery_mobile_nless_auth"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="notNeeded" next="Auth_Realm_Recovery_Recovery_redirectAgovMe"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<Response value="AUTH_ERROR">
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<Gui name="AuthErrorDialog"/>
</Response>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<property name="condition:loginWithFido2" value="${sess:agov.recovery.newLoginFactor}==FIDO2"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<property name="condition:loginWithFidoUAF" value="${sess:agov.recovery.newLoginFactor}==ACCESS_APP"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<property name="condition:notNeeded" value="${sess:agov.recovery.newLoginFactor}==NONE"/>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="back" next="Auth_Realm_Recovery_Recovery_Auth_verifyUser"/>
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="redirect" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
<!-- source: pattern://584964c837512845d7940809 -->
<Response value="AUTH_CONTINUE"/>
<!-- source: pattern://584964c837512845d7940809 -->
<property name="scriptTraceGroup" value="Recovery"/>
<!-- source: pattern://584964c837512845d7940809 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_createURLTicket_logReason" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://9a1d3c6052019748d3510261 -->
@ -2329,7 +2320,7 @@
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeSkipped" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect"/>
<!-- source: pattern://584964c837512845d7940809 -->
<Response value="AUTH_CONTINUE"/>
<!-- source: pattern://584964c837512845d7940809 -->
@ -2339,7 +2330,7 @@
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_Auth_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<!-- source: pattern://584964c837512845d7940809 -->
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_authWithNewCredentials"/>
<ResultCond name="default" next="Auth_Realm_Recovery_Recovery_Auth_prepareRedirect"/>
<!-- source: pattern://584964c837512845d7940809 -->
<Response value="AUTH_CONTINUE"/>
<!-- source: pattern://584964c837512845d7940809 -->
@ -2349,6 +2340,42 @@
<!-- source: pattern://584964c837512845d7940809 -->
<property name="sess:agov.recovery.codeDetailStatus" value="n/a"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_authWithNewCredentials" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="default" next="Auth_Realm_Recovery_Auth_Failed"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="loginWithFido2" next="Auth_Realm_Recovery_Recovery_fido2Login"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="loginWithFidoUAF" next="Auth_Realm_Recovery_Recovery_mobile_nless_auth"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<ResultCond name="notNeeded" next="Auth_Realm_Recovery_Recovery_redirectAgovMe"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<Response value="AUTH_ERROR">
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<Gui name="AuthErrorDialog"/>
</Response>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<property name="condition:loginWithFido2" value="${sess:agov.recovery.newLoginFactor}==FIDO2"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<property name="condition:loginWithFidoUAF" value="${sess:agov.recovery.newLoginFactor}==ACCESS_APP"/>
<!-- source: pattern://c1c0941f54cc36340578ff5f -->
<property name="condition:notNeeded" value="${sess:agov.recovery.newLoginFactor}==NONE"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_redirectAgovMe_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://6061abea33a234fad73897b7 -->
<ResultCond name="ok" next="Auth_Realm_Recovery_Prepare_Done"/>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://6061abea33a234fad73897b7 -->
<Gui name="not_used"/>
</Response>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="parameter.agovmedirecturl" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_fido2Login" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- source: pattern://54c1b68431bc2e03b61edcaa -->
<ResultCond name="cancel" next="Auth_Realm_Recovery_Auth_Failed"/>
@ -2399,20 +2426,16 @@
<!-- source: pattern://4bc453bf68139ee87966b0c7 -->
<property name="parameter.recoveryurl" value="https://auth.agov-w.azure.adnovum.net/AUTH/RECOVERY/"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_redirectAgovMe_Handle_Redirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
<!-- source: pattern://6061abea33a234fad73897b7 -->
<ResultCond name="ok" next="Auth_Realm_Recovery_Prepare_Done"/>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<Response value="AUTH_CONTINUE">
<!-- source: pattern://6061abea33a234fad73897b7 -->
<Gui name="not_used"/>
<AuthState name="Auth_Realm_Recovery_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<ResultCond name="default" next="Auth_Realm_Recovery_Auth_Done"/>
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<Response value="AUTH_DONE">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<Gui name="ContinueResponse"/>
</Response>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="parameter.agovmedirecturl" value="https://ob.agov-w.azure.adnovum.net/mock-me/process"/>
<!-- source: pattern://6061abea33a234fad73897b7 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy"/>
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_mobile_nless_auth_Processing" class="ch.nevis.auth.fido.uaf.authstate.OutOfBandFidoUafAuthState" final="false" resumeState="false">
<!-- source: pattern://4bc453bf68139ee87966b0c7 -->
@ -2437,16 +2460,12 @@
<!-- source: pattern://4bc453bf68139ee87966b0c7 -->
<property name="dispatchTargetId" value="${sess:agov.recovery.accessapp.dispatchTargetId}"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<ResultCond name="default" next="Auth_Realm_Recovery_Auth_Done"/>
<AuthState name="Auth_Realm_Recovery_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<Response value="AUTH_DONE">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<Gui name="ContinueResponse"/>
</Response>
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Recovery_mobile_nless_auth_PostProcessing" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<!-- source: pattern://4bc453bf68139ee87966b0c7 -->
@ -2456,13 +2475,6 @@
<!-- source: pattern://4bc453bf68139ee87966b0c7 -->
<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:accessapp"/>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<Response value="AUTH_DONE">
<!-- source: pattern://6061abea33a234fad73897b7, pattern://204c22beaccdfd22727af378 -->
<Gui name="ContinueResponse"/>
</Response>
</AuthState>
<AuthState name="Auth_Realm_Recovery_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
<!-- source: pattern://204c22beaccdfd22727af378 -->
<ResultCond name="nomatch" next="Auth_Realm_Recovery_Recovery_Auth"/>

22
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy Normal file
View File

@ -0,0 +1,22 @@
if (session['agov.recovery.redirectDone']) {
// user navigated back from AGOV.me, go again for the code
// clean up SAML state first,
// IdentityProviderState sets session attributes as follows
// <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
// State name contains the name of the pattern 'Recovery_redirectAgovMe'
def s = request.getAuthSession(true)
def sessionKeySet = new HashSet(session.keySet())
sessionKeySet.each { key ->
if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
LOG.debug("Deleted session attribute '${key}'")
s.removeAttribute(key)
}
}
s.removeAttribute('agov.recovery.redirectDone')
response.setResult('back')
} else {
// redirect
response.setSessionAttribute('agov.recovery.redirectDone', 'true')
response.setResult('redirect')
}

2
DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy
View File

@ -9,7 +9,7 @@ if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
def sessionKeySet = new HashSet(session.keySet())
sessionKeySet.each { key ->
if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
LOG.info("Deleted session attribute '${key}'")
LOG.debug("Deleted session attribute '${key}'")
s.removeAttribute(key)
}
}